Congratulations must go to the humble password for adding unnecessary cost into our businesses, making our systems less secure and contributing to the disengagement of millions of employees. They are indeed symbols and actual contributors to disempowerment within our organisations.
A bit harsh? I don’t think so. For me, passwords have become one of the many symbols of overly-bureaucratic, risk-averse, best-practice-obsessed organisations.
Systems passwords have gone through a series of progressive upgrades over the last few years. This seems to have been driven by what the folks in IT refer to as “security best practice”.
Apparently, it has been “agreed”, somewhere, by someone, that left to our own devices, passwords we generate of our own volition are unfit for purpose and must now contain letters, numbers, non-alphanumeric characters and must not be recognisable words. Oh, and just to keep us on our toes, they must be changed every 30 days and we cannot use the last half-dozen or so passwords in succession. With some organisations having multiple systems, requiring different login details and associated passwords, the generation and commitment to memory of passwords is becoming a very big ask.
This steady creep towards ever-more complicated passwords has had two obvious consequences and one major, but less obvious one.
The first obvious consequence is increased costs. Organisations must be getting increased calls into their IT help-desks to cope with the number of password reset requests. Given some organisations require an authorising email from a second and sometimes third, employee, this process takes up the time of three or four people. Given most roles rely on access to systems, waiting for the new password also means lost productivity for the organisation.
I’d love to see some statistics showing how much is being spent in IT functions on password reset requests and how much productive time is lost because of the insistence on more complicated passwords. I’d also like to see the statistics on how many times systems have been accessed by unauthorised persons and what financial losses occurred due to inadequate passwords. Is there a business case to be made here? I’d be surprised if there was.
Don’t get me wrong. I am all for secure systems. I take the protection of proprietary and customer data very seriously. But there is a tipping point beyond which more complex passwords result in costs that out-way any incremental security benefits.
This leads to the second obvious consequence of more onerous password rules. This is that our systems are now actually less secure. Passwords are now almost impossible to remember, especially if you have more than one system to access. The result? Employees are writing them down.
Faced with calling the IT helpline and wasting valuable down time on a regular basis, people are resorting to writing down passwords in the back of diaries, on sticky notes in their desk draw or on till receipts tucked into their wallets and purses.
The irony of this system security “best practice” is that the more secure we make our passwords, the less secure we make our systems. Hackers don’t need to try and guess passwords. They simply need to look through desk-drawers or in the back of notebooks. They’ll find what they are looking for.
So, what about the less obvious but major consequence I spoke about and that is referenced in the title of this post? Why are these password rules disempowering and how do they contribute to disengagement?
Quite simply, rules are disempowering. Telling someone what to do, as opposed to allowing them to figure it out for themselves is, by definition, to not empower them. When this rule-making takes us beyond the tipping point I have already referred to, then we get eye-brow-raising, shoulder-shrugging resignation as employees see the obvious consequences of these rules but feel powerless to do anything about them.
This is where engagement begins to be eroded. This is where the middle ground of sensible guidelines becomes the “stuck on stupid” and where engaged employees start to feel the tightening grip of bureaucracy and the parent-child relationship that typifies so many employer-employee relationships.