password lockouts

The Cost of Password Lockouts

One of the most common tasks IT service and help desks carry out are resetting user passwords. 

Unfortunately, despite it being an easy task, it’s both tedious for IT staff and incredibly costly to a company. Passwords remain the core authentication method for many businesses, so this issue is a top priority. 

Why are account lockouts and password resets so common? 

  1. From a user perspective, passwords are easy to make and even easier to forget. Character requirements make password reuse a tempting habit for everyone—so much so that the majority of people engage in it. Choosing a root password and then making small changes to it to satisfy requirements means that users often can’t remember their specific combination for a login, so they either get locked out of their own account by guessing too many times, or they ask for a reset on their own.
  2. From a business perspective—despite the updated guidelines from NIST—periodic password resets are still common practice. Password age is the length of time a user can keep a password, and it can be limited in Active Directory. Forcing resets when the password is deemed to be “too old” is still a requirement in some industries. However periodic resets have been shown to essentially backfire on the safety of a company, and often lead to employees using weaker, easier-to-remember passwords. Alternatively, the looming deadline of a forced change can lead to procrastination, and then to an account lockout if the employee hasn’t taken action in time. 
  3. Password lockouts and resets are also common by dint of statistical likelihood. Most users have around 100 individual passwords, to a variety of personal and professional accounts and devices. It’s not only likely that there will be moments of forgetfulness, but even with a good password manager, there will be errors and mistakes. 

What are the costs of password resets? 

  1. Dollars per reset 

While a simple password reset seems like a trivial matter, the costs are high. Several studies have shown that upwards of half of all service desk calls are related to password resets, and each of these calls costs money—sometimes upwards of $70 for a single reset. This is a combination of IT staff time, resources, and: 

  1. Lost productivity 

Each time a user takes time to reset a password—a process which might involve stalling out on a project, calling a help desk, waiting on hold, waiting for a reset, choosing a new password, and then logging back in… they are on the company’s dollar, and not being productive in a measurable way. In fact, Forrester’s researchers found that employees spend an average of eleven hours a year trying to remember their passwords and getting them reset. Scale those lost hours up to time taken out of each employee’s day, across a company of hundreds or thousands of people, and you’re at literal millions of dollars of lost revenue. 

  1. Loss of carts for E-Commerce 

While not every company uses e-commerce, the ones that do have noticed sharp effects when it comes to password resets and abandoning a high-value e-cart. The more friction there is when purchasing—whether creating a password for the first time, or resetting one because the user forgot it—dramatically increases the likelihood that a purchase won’t be made at all. 

What can companies do to reduce lockouts and costs? 

It’s no secret that passwords are a massive security concern for organizations of all sizes. 

Before a password can be changed for an end-user, their identity needs to be verified, because the account must be kept secure. Businesses must remain on high alert for social engineering tactics, and find a secondary way of confirming a user identity. Staff often walk through security questions or ask for other authentication codes to double check that the user is in fact the owner of the account. 

Verizon’s 2022 DBIR found that compromised credentials are the source of almost 90% of data breaches in some way. Breaches, ransomware, and phishing attacks can have massive repercussions for companies, from reputational damage and lost revenue all the way to financial ruin.

Better password security and hygiene is one of the fastest ways to simply reduce the number of resets that need to occur per employee per year. 

Following NIST password guidelines can be a good starting place: 

  1. Eliminate forced resets 
  2. Scan for compromised credentials 
  3. Employ MFA whenever possible 
  4. Get rid of arbitrary complexity requirements. 

Read more about password hygiene for your company here, and get started on decreasing the costs of password lockouts and resets.