What Is Password Fatigue?
Password fatigue is a feeling of stress and/or frustration stemming from the creation and maintenance of passwords for the multitude of accounts managed by any active digital user.
How Does Password Fatigue Happen?
The average person with an active digital life manages 100 passwords. It’s impossible for someone to create that many strong, unique passwords and remember them all without some form of assistance.
Having to create a password for so many sites and accounts dilutes a user’s respect for the security practice of keeping strong, unique passwords.
Password fatigue is most often felt in the moments when you are signed out of an app and asked to key in your long-forgotten password. After a few failed attempts, you are prompted to create a new password. That feeling of discomfort and frustration in the pit of your stomach is password fatigue.
Too often, it leads users to throw up their hands and fall back on a password they’ve used elsewhere, or one that’s easier to remember. However, passwords that are easy to remember are also easy to crack.
How Threat Actors Crack Passwords
Cybercriminals rely on tools, techniques, and patience to crack user passwords. Here are a few of the ways credentials can be compromised without a threat actor ever coming into contact with you via social engineering:
Brute-Force Attack
A brute-force attack uses software to automatically sift through millions of common passwords in the hopes that the user is suffering from password fatigue and has used one of these easy, common options. Once threat actors get the password correct, the hacker can access the account, as well as any other accounts where you use the same password.
Password Spraying
Many modern accounts and websites have lockout policies which go into effect after too many failed password entries. This can help thwart traditional brute-force attacks but has led to threat actors pivoting to this technique. Rather than trying multiple passwords on a single account, in password spraying, threat actors select a single, commonly used password and try it across multiple accounts on the same application or site, trusting that at least one user will have taken the easy way out.
Credential Stuffing
A third variation on the traditional brute-force attack is credential stuffing. In this attack type, threat actors gain a single compromised credential over the dark web or through a social engineering attack, and then try it across many common sites and applications, trusting that most users reuse their passwords in an effort to avoid password fatigue.
Dangers of Password Fatigue
There is significant personal risk to using weak or repeated passwords. Threat actors can gain access to your financial accounts and drain them, take over your email and social accounts to trick your friends and family into forking over funds or sensitive information, or steal your identity outright. But the risk doesn’t end with you.
The use of stolen credentials is one of the major ways threat actors gain access to an organization’s environment. In fact, according to IBM, it is the main way, with stolen or compromised credentials serving as the top attack vector for data breaches the past two years running.
Even worse, giving in to password fatigue can cripple an organization financially, with breaches caused by stolen or compromised credentials costing an average of $4.05M USD, and taking an average of 327 days to detect and contain.
How To Defend Against Password Fatigue
Instead of allowing password fatigue to take hold, use the following tips to make sure you’re creating and maintaining strong passwords that you can actually manage.
1. Never Share Your Passwords
Password sharing has become all but ubiquitous in the age of streaming, but this is one case where sharing is not caring. Every time you share a password, you exponentially increase the risk of compromise.
2. Never Write Your Passwords Down
Too many people create strong, unique passwords that are so difficult to remember that they need to write them down. However, that defeats the entire purpose of creating a strong password in the first place. The next tip can help you create a strong password you’ll have an easier time remembering
3. Try A Passphrase Instead of a Password
A passphrase is like creating an acrostic — which is a poem or phrase built out of individual letters. If you’ve ever studied music, you likely know “every good boy deserves fudge” which is an acrostic built from the notes on the lines of the treble clef; E, G, B, D, and F. Put into password practice, you could create a passphrase that represents a lyric from a song you love.
Using the standard Moon River as an example, the first lines of the song — “Moon River, wider than a mile. I’m crossing you in style, someday” turns into the passphrase “MRWTAMICYISS.” This password would take over 150 years for a threat actor to crack simply by guessing. Adding numbers or symbols — 5 for S and @ for A, for example — increases the complexity exponentially.
4. Update Your Passwords Regularly
Many people only update their passwords after being notified of a security incident. But cybersecurity experts recommend you change your passwords — incident or not — every three to six months. With 100 or more passwords to manage, you can see how easily password fatigue can set in. This is where a password manager becomes a vital tool.
5. Use a Password Manager
These tools create and manage all your passwords for you, auto-filling them on your device once you enter your master passphrase to unlock the password vault, meaning you no longer need to remember 100 passwords, only the single master one to access your manager.
How Arctic Wolf Can Help
Arctic Wolf Managed Security Awareness® delivers fun, focused, and consistently fresh content in 3-minute sessions directly to employees’ inboxes. These microlearning lessons teach employees how to keep their credentials from becoming compromised.
Arctic Wolf Managed Risk® continuously scans the dark and gray web for compromised credentials while working to identify and remediate vulnerabilities.
