A survey of 1,200 currently employed U.S. adults, who have access to company passwords, found that 40 percent admit to using login credentials from a previous employer, and 15 percent say they are still doing so.
Among those accessing old accounts, 53 percent do it to avoid paying for tools or services, with some reporting savings of more than $300 per month.
The survey indicates that security lapses at former employers often enable this behavior. Three-out-of-five respondents said they could still log in because the password had not been changed after they left; 28 percent gained access because a current employee shared the password; and 20 percent were able to guess it.
The findings also show that 27 percent of workers share their current employer's passwords with someone outside the company, primarily to get help with work or to help others save money.
Only a minority of those reusing old credentials have been detected, and 10 percent say they have used former employers' logins for more than four years. Some respondents reported being contacted by previous employers who had forgotten passwords, and 17 percent said a former employer had reached out for this reason.
Source: https://finance.yahoo.com/news/passwordmanager-com-survey-finds-nearly-163400217.html
Commentary
Reused credentials from previous employers create a quiet, but significant risk for organizations. When accounts remain active after separation, organizations face the possibility of data theft, unauthorized use of licensed services, manipulation or deletion of records, and even deliberate disruption by disgruntled former staff.
The problem is compounded when current employees share passwords, when organizations rely on shared accounts, and when passwords are simple enough to be guessed.
To prevent these losses, employers should implement disciplined offboarding procedures that immediately disable directory, email, VPN, cloud, and application accounts when an employee leaves, and confirm those logins no longer work.
Access should be role-based so that revoking a role automatically removes all associated permissions. Multi-factor authentication should be enforced across critical systems to make reused passwords alone insufficient for access.
Regular access reviews help identify dormant accounts or privileges left behind by past reorganizations. Password managers and unique credentials reduce the temptation to share or recycle passwords across users and systems.
Finally, acceptable-use policies and recurring security awareness training should make clear that sharing credentials or using old ones after departure is prohibited. Explain why these practices put data and jobs at risk, and encourage staff to report suspected misuse promptly.
