What is password fatigue? (and how to cure it)

You know the score. You have one password for your email. Another for that account. Another for this. Before you know it, you need to remember ten passwords. Password fatigue sets in.

The end result is a whole lot of grumbling on your part. And probably quite a few clicks on the old “forgot password” button too.

If you have this situation in your business, your IT department has probably told you about it. Handling those “password reset” emails alone will be taking up a lot of their valuable time.

So, how do you solve password fatigue?

Let’s take a look at the problem in a little more detail before swiftly pivoting to some solutions:

What is password fatigue?

Password fatigue is the feeling of exhaustion engendered by having too many different passwords to  remember for too many different accounts and services.

This is exacerbated by the sheer variety of password requirements out there these days. The need for strong passwords (which is very real and very important) regularly escalates, resulting in demands that passwords include:

  • A combination of letters and numbers
  • At least one special character or symbol
  • A combination of upper and lower-case characters
  • No words from the dictionary
  • No identifiable personal information (like your mum’s birthday)
  • Be of a certain length

This means that you or your team can think you’ve found a password or two that you can remember for multiple services (repeating passwords is also a big cybersecurity issue), only for the requirements of one service to change and trip you up.

What are the dangers of password fatigue?

It’s not just the fact that people get tired and irritated that makes password fatigue a problem. There are serious cybersecurity concerns. This is because fatigue tends to lead to bad practices, including:

  • Passwords getting simpler, making them easier for hackers to solve
  • People repeating and reusing passwords, meaning hackers only need to get one
  • One “ultimate” password getting used everywhere, with the same issue
  • Passwords getting written down (on paper or digitally), leading to further security issues

How to cure password fatigue

1) Multi-Factor Authentication (MFA)

Multi-Factor Authentication or MFA asks every user to use two or more “factors” to prove that they are who they say they are.

Now, one of these factors can be a password. It often is. But there are several different types of factors accepted by MFA:

  1. Something you know (so, yes a password or PIN)
  2. Something you are (biometric, fingerprint or facial recognition scan)
  3. Something you have (the device you’re using, for example)

This takes some of the edge off the number of passwords users need to have and remember. It’s not perfect though.

If you have multiple systems or programs secured by MFA, your team may need to access them multiple times a day (cybercriminals recognise this and spam log-in requests to irritate users into poor practice).

This means you need to implement MFA with care if you want it to fall afoul of the same fatigue issues:

  • Use conditional access policies to determine strong signals like user location and time
  • Let users sending those positive signals correctly have fewer security demands
  • Minimise the number of MFA prompts users receive
  • Make sure your authentication methods are as simple but as effective as possible
  • Give your team proper training in the why as well as the how of MFA use

2) Single Sign-On (SSO)

Single Sign-On or SSO is just what it sounds like. With SSO, your team only needs to prove who they are once to access all of your systems or applications they use every day.

Now, this sounds a whole lot like just having one password and using it repeatedly (a.k.a. the bad thing we warned about above).

It’s not though. The authentication factors used in SSO are not shared across all of the accounts you use. Instead, a secure system confirms your identity and creates a unique token that it shows to each application you log in to (so you don’t have to). This is very secure.

3) Password-less Authentication

MFA is excellent and essentially all modern businesses should implement it. But one of the factors is usually something you remember, meaning a password is still basically in there and potentially vulnerable to fatigue issues.

Password-less Authentication is designed to remove passwords altogether. Tools like Windows Hello and Microsoft Authenticator use entirely biometric and non-password data, removing all the need to remember things and thus all potential fatigue.

4) Password managers

What if there was a magical system that remembered all of your passwords and other log-in information in an ultra-secure place and filled it in for you on command?

Well, they exist and they’re called password managers. There are many on the market and several are suitable for business use.

If you are looking for a way to combat password fatigue, they can be an immediate solution.

However, it’s a mistake to overlook how vital MFA and SSO are in today’s cybersecurity landscape. If you don’t have them in place already, it’s time to take action.

Want to walk through how easy it is to implement Multi-Factor Authentication for your business?

Let’s chat. Dial A Geek has already helped over 1000 businesses in and around Bristol get the best from their tech.

Set up a cost and commitment-free chat with Chief Geek Gildas Jones today to see how we can help you get the best from yours.