Is your organization putting enough emphasis on password security? Passwords are one of the primary ways organizations protect information, and they should be strong enough to restrict unauthorized users from gaining access to your information.

But the unfortunate truth is that a good percentage of corporations are using weak or even compromised passwords. In order to keep our information safe, organizations need to start asking “Has my password been compromised?”

If organizations continue to avoid the real concern that passwords cause, their sensitive information could be at risk. Just last year, there were over 1,000 data breaches, and more continue to occur.

To help organizations see the weakness in their credentials, we’ve created a list of 5 reasons why your company’s passwords could be compromised.

Here is what we’ll cover:

  1. Employees are using previously compromised passwords.
  2. Passwords are shared among team members.
  3. Similar passwords are used throughout the organization. 
  4. Companies employ out-of-date password quality standards.
  5. Organizations don’t use other security measures to protect against compromised passwords.

Additionally, we’ll offer suggestions on how you can create a stronger security system for your website and user database.

Your password could be compromised if you're using weak or commonly used credentials.

1. Employees Are Using Previously Compromised Passwords

On average, 7.34% of users have accounts with a compromised password. While that might not seem like a lot, that means that around 1 in 14 corporate users have a password that has appeared on a previously breached password list.

Every organization should ask "Are my passwords compromised?"So what exactly does this mean for your organization?

Any accounts using compromised passwords are at a higher risk of being cracked. Using a compromised password is like giving a set of your house keys to a criminal. While the person may not know which key opens your front door, the criminal can easily run through the options.

A hacker can gain access to a compromised account in the same way by running it through a list of previously breached passwords until they get a match. The process will take less time than running through every possible password combination.

Depending on which accounts have compromised passwords, the hacker could gain access to sensitive information, enter your user database and obtain their credentials, or cause even more damage.  

Without knowing it, you’ve made it easier for cybercriminals to access your information.

How Organizations Can Prevent This Password Risk

If your organization wants to stop using compromised passwords, you need to educate employees on password security. While your employees may know that using a simple password like “qwerty” isn’t very secure, they might not understand the severity of using weak passwords.

Take the time to train your employees on the importance of password security and provide useful suggestions on how to create and remember strong passwords.

Coincidentally, there is a lot of overlap between the most commonly used passwords and the passwords that have already been breached.

As a result, your organization should screen any new passwords against a list of the most commonly used passwords. That way, your users won’t be able to use extremely weak passwords to create accounts.

If organizations can stay away from these compromised passwords, they’ll be able to maintain much stronger security.

Your password might be compromised if you share your credentials with other team members.

2. Passwords Are Shared Among Team Members

One of the biggest challenges and most overlooked gaps in password security is the fact that passwords are shared among team members. Many organizations don’t realize that their passwords could be compromised because of sharing credentials.

In fact, around 1 in 7 employees share their password with other users in the same network. What’s more, 54% of senior management doesn’t understand the risk of password sharing.

Password sharing is a huge internal risk for companies for several reasons. First, password sharing removes accountability and gives access to certain components of your business that not every employee needs. 

Think about it like this: if everyone is using the same login to access an account there is no way to track an individual’s activity, which can make it hard to establish who was making changes. As a result, when a breach does occur, your organization will have to put in more work to determine which changes where unauthorized.

Additionally, any unauthorized activity could go unchecked for a long time. Since employees are used to multiple people having access to the same account, they will automatically assume that any changes were made by a coworker not an unauthorized user.

To make matters worse, these shared passwords aren’t usually changed after an employee leaves the company.

Lastly, the method in which passwords are shared can pose a problem for your organization. Most password sharing occurs over email, increasing the risk of your accounts becoming compromised.

If a hacker gains access to an employee email account, the person can search through emails to find credentials for accounts with higher-level permissions, leaving those passwords compromised as well.

How Organizations Can Prevent This Password Risk

Of course, in some situations sharing credentials is unavoidable, but your employees should be aware of the risks of sharing their passwords. It’s important that your employees are taught not only how to prevent password sharing but also why it’s important to your company’s internal security.

In addition to training, every employee should have individual credentials to the software and tools that they need access to. Each employee’s permissions should match their role and should be adjusted accordingly if that role changes.

Additionally, if an account with several permissions gets hacked, the unauthorized user will have access to more capabilities.

Another alternative is to eliminate the the need for a password by using a passwordless login system. Implementing another form of credentials can deter employees from sharing login information with fellow coworkers.

To keep your information safe, make sure that you have a team (preferably your IT team) monitor any unusual or suspicious behavior. This way, you can spot any unauthorized activity early.

Passwords can easily be compromised if you use similar credentials for all your accounts.

3. Similar Passwords are Use Throughout the Organization

In our work and personal life, we’re often juggling several accounts and need to remember a lot of different passwords. To make memorizing passwords easier, most users opt for using the same or similar passwords for all their accounts.

Using similar passwords can lead to a huge security risk for your organization. For instance, if a cybercriminal gains access to one account, it will take them less time to access your other accounts with similar passwords, resulting in a domino effect where the hacker can take control of multiple accounts.

While using the same password may make logging in quicker, it actually links all your accounts together to make the hacker’s job easier.

And the more accounts that the cybercriminal gains, the more trouble they can cause by using accounts with higher-level permissions and access to sensitive information.

How Organizations Can Prevent This Password Risk

Every account that a user creates should have a different password. With separate, equally strong passwords, you’ll make it difficult for hackers to not only compromise your account but also enter multiple accounts. 

If your employees have to manage multiple accounts, you might want to consider using a password manager to make the job of memorizing your credentials easier.

Essentially, password managers store all of your accounts in one central location. These tools can also:

  • Generate passwords for new accounts.
  • Automatically enter your credentials when you land on the login page.
  • Notify you if any of your accounts have the same password.

The only downside to password managers is that all your passwords are stored under one account. It’s important that employees create a master password that is strong and follows the updated password security guidelines.

Compromised passwords are common because organizations are using outdated best practices.

4. Companies Employ Out-of-Date Password Quality Standards

Another factor that easily makes passwords compromised, is that many people are using outdated best practices to form their “strong” passwords.

Security experts stress that organizations need to be aware of recent changes in password security.

One of the most important changes is that organizations need to avoid requiring employees to change their passwords on a regular basis. Frequent password updates have been a tried-and-true method to maintain password security because if a password is constantly changing, it makes it harder for hackers to gain access.

However, according to the National Institute of Standards and Technology (NIST), this outdated best practice often leads to weaker passwords. With constant changes, employees run out of ideas and instead settle for simple passwords because they’re easy to create and remember.

Another outdated practice that NIST recommends organizations drop is the password complexity rules. These are the rules that require users to add an uppercase letter, number, and symbol.

These components do make passwords more secure, but people tend to use the same formula—capitalizing the first letter of a word, adding a couple numbers and a common symbol to the end—making the password predictable and easier to guess.

How Organizations Can Prevent This Password Risk

Organizations need to focus on what makes a strong password, instead of enforcing rules that lead to weaker credentials.

Here a few things your employees should keep in mind when creating new passwords:

Follow this list of do's and don'ts to help protect your password from being compromised.

As you can see, longer passwords are preferred because they require more time to crack. The computer programs hackers use are able to run through every combination, starting with one-digit passwords and moving on from there. A password that’s 8 or more characters could take several years to crack.

Additionally, using a random combination of characters will be more difficult to crack than following a formula or pattern.

Most importantly, users should avoid creating passwords with dictionary words or personal information. These components can make a password guessable without a computer program.

Using these tips can help your organization create better passwords. That way, you’ll have fewer passwords that are likely to be compromised.

Organizations have a higher risk of compromised passwords if they don't use other security measures.

5. Organizations Don’t Use Other Security  Measures to Protect Against Compromised Passwords

Last, but certainly not least, organizations need to stop relying on passwords as their only security measure.

Even if your organization implemented all the strategies we mentioned above, your password could still become compromised. 

Imagine that your nonprofit is using a marketing tool, if that company experiences a user data breach, your accounts could be compromised and your strong passwords won’t be effective.

Additionally, organizations should assume that not everyone will follow the rules, which can leave your company at risk.

As a result, passwords shouldn’t be your only defense against unauthorized users.

How Organizations Can Prevent This Password Risk

Organizations should add additional layers to their security systems to ensure that the right people are accessing the right accounts.

One way to do this is by enabling two-factor authentication. An additional verification step makes it much harder for a hacker to gain access.

If you’re not familiar with two-factor authentication, after users enter their password and username, they will be asked to enter a code that was sent to their cell phone. 

Even if a hacker obtains your account credentials, the person won’t be able to complete the second step.

Another way organizations can ease some of the challenges associated with passwords is by implementing a passwordless option.

Organizations can use email authentication to avoid passwords getting compromised.   To keep your passwords from getting compromised use biometrics.  Token authentication is another way organizations can avoid compromised passwords.

From email authentication to tokens to biometrics, there are several ways organizations can allow users to log in without having to create a password.

For more information on these methods, check out @Pay’s in-depth article on passwordless login systems.


Now that you understand how your passwords can become compromised, it’s vital that you take the next steps to secure your accounts. Use all 5 of these tips together to implement better password security in your organization.

If you want more information on password security, keep reading these additional resources: 

Keep your sensitive information safe with our guide to password security.

Comments are closed.