Get access to the exclusive HR Resources you need to succeed in 2018!
Training, policies and tools to help HR prevent and respond to harassment claims.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Develop your HR competencies and knowledge in-person in 12 U.S. cities or virtually.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Some workers are peddling their network passwords for peanuts
A hundred dollars can buy a lot of things—a new pair of shoes; dinner out; dozens of songs on iTunes.
Or a password.
For a price, 1 in 5 employees would sell the passwords they use to access their employers’ computer networks if asked, according to a 2016 survey from SailPoint Market Pulse, an identity and access management company headquartered in Austin, Texas.
About 1,000 office workers at private organizations with at least 1,000 employees across Australia, France, Germany, the Netherlands, the United Kingdom and the United States were interviewed for the survey.
Aside from moral and ethical concerns, selling passwords in the U.S. may be a violation of online privacy and identity theft laws at the federal and state level, including in California, Florida and New York.
The survey found that 44 percent of respondents would sell their passwords for less than $1,000; some would sell their passwords for less than $100. The highest percentage of people willing to sell their passwords was in the U.S., at 27 percent. The lowest percentages were in Australia and the Netherlands, at 12 percent.
“Some people may think that they’ll sell their password today and then change it tomorrow and it’s fine,” said SailPoint President and founder Kevin Cunningham. “The actual selling isn’t as much of an issue as the risk to information. When someone has those credentials, it can cause real damage—everything from identity theft to money stolen.”
A password should be viewed in the same way as a lock on a door—and treated as such.
According to Karl Stallknecht, CEO of Slable, an IT solutions firm in Woodbridge, Va., password-selling can pose serious risks for employers and employees alike. An employer can experience a very serious security breach, and an employee can put his or her job in jeopardy.
“Almost any employer would most likely pursue legal action against an employee who was doing this. At that point, an employer would need to assume every password that the employee in question had access to was compromised,” he said.
Cunningham says HR departments can take a proactive approach by training employees on how to keep data safe and making sure employees are aware of the risks involved if they do sell their passwords. Employees who receive any type of phishing scam or password-buying offer should immediately report it to HR.
In addition to an employee willingly giving up his or her sign-on information, hackers can figure out passwords with the right technology. According to Cunningham, it can take anywhere from three hours to three days to decipher an eight-character password. Increasing the password by just one character raises that time frame to between eight and 275 days.
“A computer can guess 4 billion password combinations in a short amount of time,” Cunningham says. “Have a mix of alphanumeric combinations with characters, and don’t use predictable passwords like names and birth dates. Or the word ‘password.’ ”
Despite best efforts, however, passwords are never 100 percent secure, Stallknecht said. Changing passwords on a monthly basis is a good habit.
“It is important that not every employee within a company has access to every password,” he added. “Passwords should be treated on a ‘need to know’ basis whenever possible.”
Here are some password security tips:
5 Password Security Tips
Rena Malai is a freelance writer based in Washington, D.C. She has worked internationally, covering a range of topics including technology, human interest issues, Capitol Hill and legal briefs. She can be reached at firstname.lastname@example.org.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies