A hundred dollars can buy a lot of things—a new pair of shoes; dinner out; dozens of songs on iTunes.
Or a password.
For a price, 1 in 5 employees would sell the passwords they use to access their employers’ computer networks if asked, according to a 2016 survey from SailPoint Market Pulse, an identity and access management company headquartered in Austin, Texas.
About 1,000 office workers at private organizations with at least 1,000 employees across Australia, France, Germany, the Netherlands, the United Kingdom and the United States were interviewed for the survey.
Aside from moral and ethical concerns, selling passwords in the U.S. may be a violation of online privacy and identity theft laws at the federal and state level, including in California, Florida and New York.
The survey found that 44 percent of respondents would sell their passwords for less than $1,000; some would sell their passwords for less than $100. The highest percentage of people willing to sell their passwords was in the U.S., at 27 percent. The lowest percentages were in Australia and the Netherlands, at 12 percent.
“Some people may think that they’ll sell their password today and then change it tomorrow and it’s fine,” said SailPoint President and founder Kevin Cunningham. “The actual selling isn’t as much of an issue as the risk to information. When someone has those credentials, it can cause real damage—everything from identity theft to money stolen.”
HR’s Role
A password should be viewed in the same way as a lock on a door—and treated as such.
According to Karl Stallknecht, CEO of Slable, an IT solutions firm in Woodbridge, Va., password-selling can pose serious risks for employers and employees alike. An employer can experience a very serious security breach, and an employee can put his or her job in jeopardy.
“Almost any employer would most likely pursue legal action against an employee who was doing this. At that point, an employer would need to assume every password that the employee in question had access to was compromised,” he said.
Cunningham says HR departments can take a proactive approach by training employees on how to keep data safe and making sure employees are aware of the risks involved if they do sell their passwords. Employees who receive any type of phishing scam or password-buying offer should immediately report it to HR.
Password Problems
In addition to an employee willingly giving up his or her sign-on information, hackers can figure out passwords with the right technology. According to Cunningham, it can take anywhere from three hours to three days to decipher an eight-character password. Increasing the password by just one character raises that time frame to between eight and 275 days.
“A computer can guess 4 billion password combinations in a short amount of time,” Cunningham says. “Have a mix of alphanumeric combinations with characters, and don’t use predictable passwords like names and birth dates. Or the word ‘password.’ ”
Despite best efforts, however, passwords are never 100 percent secure, Stallknecht said. Changing passwords on a monthly basis is a good habit.
“It is important that not every employee within a company has access to every password,” he added. “Passwords should be treated on a ‘need to know’ basis whenever possible.”
Here are some password security tips:
5 Password Security Tips
- Reset passwords once a month or, at the very least, every 90 days.
- Use a combination of alphanumeric and other characters (!@*, etc.).
- Use two-factor authentication or biometric authentication methods. The latter include fingerprints and iris scans.
- Don’t use predictable passwords, such as names, personal dates or obvious words (such as “password”). Some sites accept spaces within passwords.
- Don’t use the same password for all platforms.
Rena Malai is a freelance writer based in Washington, D.C. She has worked internationally, covering a range of topics including technology, human interest issues, Capitol Hill and legal briefs. She can be reached at rena.malai@yahoo.com.