Workplace Password Habits Leave Organisations Vulnerable to Cyber Attacks

Keeper surveyed over 1,000 employees in various industries regarding their password-related behavior – the results were alarming.

A Few Highlights


Save passwords on sticky notes


Save passwords in unprotected, plain-text documents


Share passwords by text message and email

Read the full report below to learn about these password-related security issues and how to protect your organisation against the most common cyber attack vector.

Poor password hygiene in the workplace was a threat to organisational cybersecurity even before the COVID-19 pandemic. When COVID-19 forced organisations worldwide to rapidly deploy and secure remote workforces, teams began connecting to organisational resources remotely, in environments that their employers did not control, many times using their own devices.

Respondents to the Ponemon Institute’s Cybersecurity in the Remote Work Era: A Global Risk Report, commissioned by Keeper Security in 2020, expressed grave concerns over password security in their organisations:

  • 60% of respondents said their organisations experienced a cyber attack in the past 12 months.
  • Over 50% of these attacks involved stolen credentials.
  • The theft of IT assets caused $5 million or more in damages for 25% of businesses.

The pandemic pushed organisations to rapidly deploy a host of new technologies to keep remote employees connected, collaborating, and working. From Zoom to Google Workspace to Slack, employees had to sign up for yet more online accounts — and keep track of yet more passwords.

Keeper wondered how much password security had changed since companies moved to remote work environments. Were remote employees following simple best practices to secure their passwords, or were they falling prey to “password fatigue” and engaging in bad habits that lead to significant cybersecurity risks? This is why Keeper, in partnership with Pollfish, conducted the Workplace Password Malpractice Survey.

While Ponemon surveyed organisational leaders, we decided to go straight to employees for this survey, and we queried 1,000 full-time workers in the United States about their password habits. The survey was completed in February 2021, and consisted of only individuals who used passwords to log into work-related online accounts

Following are the most important findings from the survey. The full data can also be viewed here.

Finding 1: U.S. employees are tracking & storing their login credentials insecurely

Our survey found that U.S. employees are not following best practices when storing and tracking their work-related passwords, presenting major cybersecurity risks for their employers

  • Over half of respondents (57%) admit to writing down work-related online passwords on “sticky notes”, and two-thirds (67%) admit to having lost these notes. In addition to leaving sensitive corporate information in full view of anyone else living in or visiting their home, this harms organisational efficiency. Lost sticky notes mean lost passwords, which result in help desk tickets to reset said passwords.
  • 62% of respondents store login credentials in a notebook or journal, and the overwhelming majority (82%) say that they keep these notebooks next to or close to their work devices, where they can be accessed by anyone else who lives in or is visiting their home.

Using a pen and paper to keep track of passwords has become even more problematic in the remote work world. Most workers (66%) say that they’re more likely to write down work-related passwords when working from home than they are while working in the office.

Even when using digital methods to track and store their passwords, U.S. employees are engaging in poor password security practices.

  • Nearly half of respondents (49%) save work-related passwords in a document in the cloud.
  • Just over half (51%) say that they currently save these passwords in a document saved on their computer.
  • 55% save work-related passwords on their phone.

Storing passwords in unencrypted files is extremely risky. All a cybercriminal needs to do is breach the cloud storage, computer, or mobile device and they can access all of the employee’s passwords.

Finding 2: U.S. employees are creating weak, easily guessed passwords

A strong, random password consists of a random string of uppercase and lowercase letters, numerals, and special characters. However, many respondents admitted to using passwords that contain personal details, which cybercriminals can easily find on social media channels.

  • Over one-third (37%) of respondents have used their employer’s name in a work-related password.
  • Over one-third (34%) have used their significant other’s name or birthday.
  • Nearly one-third (31%) have used their child’s name or birthday.

Password re-usage between personal and work-related accounts has become a big cybersecurity risk for companies, with 44% of respondents admitting to reusing passwords across personal and work-related accounts and 53% admitting to keeping password-protected personal accounts on their work devices.

Finding 3: U.S. employees are sharing work-related passwords with unauthorised parties

Many U.S. employees are not exercising care regarding whom they share their work-related passwords with. This puts organisations at risk of being breached should these passwords wind up in the hands of someone who is careless or who has malicious intentions.

  • Over the past year, 14% of respondents have shared their work-related passwords with their significant other or spouse.
  • 11% of respondents have shared work-related passwords with another family member.

Even absent a data breach, an employer could be found out of compliance and assessed very large penalties if it is discovered that unauthorised parties have viewed compliance-protected data.

Finding 4: U.S. employers are not doing their part to ensure that passwords are being shared securely and/or only with authorised parties

Our survey found that shared passwords in the workplace are common.

  • Nearly half of respondents (46%) report that their company shares passwords for accounts that are used by multiple people.
  • Over one-third (34%) have shared work-related passwords with colleagues on the same team.
  • Nearly one-third (32%) have shared work-related passwords with their managers.
  • 19% have shared their passwords with their executive team.

The best thing to do is to give every user a unique password for every work-related account or application, which can be practically done by utilising the use of an Enterprise Password Management (EPM) platform. Password-sharing in the workplace is safe if the passwords are shared securely, and if passwords are shared only with unauthorised parties.

Our survey results indicate that many U.S. employers are not exercising risk mitigation strategies to help ensure safe password-sharing.

  • The majority of respondents (62%) report sharing a work-related password over text message or email, which could be intercepted by cybercriminals in transit.
  • Nearly a third of respondents (32%) admit to accessing an online account belonging to a previous employer, which indicates that many employers are not disabling accounts when employees leave the company.


Adopting and implementing an enterprise password management platform such as Keeper Enterprise would cure the password malpractice uncovered in this survey. Keeper’s zero-knowledge password encryption and zero-trust framework provides advanced password management, secure sharing, and other security capabilities.

IT administrators and leaders gain complete visibility and control into employee password practices, including:

  • Exclusive, proprietary zero-knowledge security model and zero-trust framework system; all data in transit and at rest is encrypted; it cannot be viewed by Keeper Security employees or any outside party.
  • Rapid deployment on all devices, with no upfront equipment or installation costs.
  • Personalised onboarding and 24/7 support and training from a dedicated support specialist.
  • Support for RBAC, 2FA, auditing, event reporting, and multiple compliance standards, including HIPAA, DPA, FINRA, and GDPR.
  • Provision secure shared folders, subfolders, and passwords for teams.
  • Single Sign-On (SAML 2.0) authentication
  • Enable offline vault access when SSO is not available.
  • Dynamically provision vaults through SCIM.
  • Configure for High Availability (HA).
  • Advanced two-factor/multi-factor authentication.
  • Active Directory and LDP sync.
  • SCIM and Microsoft Entra ID (Azure AD) provisioning.
  • Developer APIs for password rotation and backend integration.

Additional Helpful Resources

Free Dark Web Scan

Free Dark Web Scan

The Dark Web contains over 15 billion stolen login credentials. Discover if your organisation’s passwords have been stolen in a data breach by scanning your email for free.

Get results instantly.

Keeper Business – Protect Your Employees & Their Families

Keeper Business – Protect Your Employees & Their Families

Keeper helps protect your company from employee password malpractice with our enterprise password management (EPM) platform.

Enforce minimum password strength requirements and see who is using weak or reused passwords with the Admin Console.

Plus, each business user gets a free family account so that they can protect their own personal logins as well.

7 Things Your Employees Should Do to Keep Company Data Safe

7 Things Your Employees Should Do to Keep Company Data Safe

While passwords are one of the most important barriers to keeping companies secure, we know there are other things employees can do to help.

Take a look at this infographic with 7 items you should include in your training program that will help improve cybersecurity.

English (UK) Call Us