Content, Content

Nearly Half of Workers Pilfer Former Employers’ Passwords to Access Accounts, Study Says

single sign on (SSO) to login other webpage with one username and password vector

A striking number of companies do not deactivate a former employee’s passwords after the worker is no longer on the job, a new study by Password Manager found.

47% Use Employer's Passwords

In a study of 1,000 U.S. employees, 47% admitted to using their past employer’s passwords after leaving the company to access email, software, tools and the like, according to the study’s findings. More than one in four are currently using passwords to access paid subscriptions and only one in seven have been caught using the former company’s password credentials.

Along those lines, some 10% said they have used a past employer’s passwords to disrupt company activities.

A Closer Look at the Survey

Here are more data from the survey:

On accessing former employees accounts with previous passwords...

  • 47% have used at least one former password to access accounts belonging to a previous employer.
  • 58% said the passwords had not changed since they left the company, and 44% say someone currently working at the company shared the passwords with them.

Said Daniel Farber Huang, who heads privacy and cybersecurity at Password Manager:

“First and foremost, companies should make it 100 percent clear to their employees what the standards of care and conduct are, including what is authorized and unauthorized handling of intellectual property and proprietary information."

On former employees guessing their ex-employer’s passwords...

  • 6% said they guessed their former employers’ accounts to gain access to passwords. One respondent said they used their employer's birthday to guess.

Huang commented:

“Cost factor is certainly one meaningful issue for most companies lacking proper security. The other aspect is having a staff person to manage the on-going process.”

On getting caught using a former employer’s password...

  • When asked if they have been caught using passwords from their former companies, only 15% said they had. One in three respondents say they were or have been using the passwords for upwards of two years.
  • It would appear that companies really aren’t keeping up on password security if respondents are able to continue using passwords for this amount of time, and the majority are not being caught.

Huang explained:

“Beyond technical solutions or safeguards, the first line of defense is managing the human element, knowing an account password is not necessarily a problem, but making the conscious decision to use it for personal gain is a problem.”

On what former employees used passwords for...

  • 64% say they used them to access their company email.
  • 49% to access paid tools or subscriptions.
  • 44% to access company data.
  • 28% are currently using their former employers' passwords to access paid tools or subscriptions and saving $200 per month or more by doing so.

Commented Huang:

“From a technical standpoint, it’s important for companies to understand what assets they have, which includes services, information, and other types of accounts used by the company – whether by just a few employees or everyone – and classify or prioritize, starting with being highly valuable or critical and working down the list to what’s not as important to protect.”

On disrupting company activities:

  • When asked to provide their reasons for needing access to former employers’ accounts, 56% said it was for personal use.
  • 10% said that they accessed these accounts in order to disrupt company activities.

Huang said:

“Even if no legal action is ultimately taken, nobody wants to be threatened by a corporation – it’s just not worth the hassle and frustration. And I’m describing a non-malicious violation here. If someone were actually trying to inflict damage or loss on a former company, that’s a whole other scenario that can get ugly and litigious fast, and rightfully so."

On employers’ password security:

  • When respondents were asked to rate their former employers’ password security practices, one in three said they believe it is "unsafe" (25%) or ‘very unsafe’ (6%).
  • 47% also say that they have had a previous employer reach out to them because they forgot or lost their passwords.

Huang explained:

“Companies are responsible for the integrity of their operations and the safety and well-being of their people. Presumably if a company is handling both sides well, one would hope there would be less likelihood of creating situations where a former employee would seek to inflict intentional damage.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.