Why Do I Have to Learn This?
I started my company in 1990, during the early days of another significant digital revolution, when the personal computer was being introduced to the workforce. My company helped people manage their fear of failing. Our customers were not software developers – they were not creators of code, but rather the end users, employees who had been confronted with a new set of technologies they had never asked for. Having encountered problems with using them, they had been sent by their employers to overcome their emotional and practical logjams.
Anyone who was in the workforce at this time will probably remember that office software applications were not very friendly or consistent back in the early 1990s. They were clunky, not at all intuitive, and by today’s standards, extremely slow. Few people enjoyed having to learn how to use them. They were driven by keystroke commands, such as Shift, F7, 1 for printing a document, and they introduced not only a new set of learning challenges, but also new physical demands on the body, especially the back and neck, the eyes, and the wrists.
In addition, new iterations of the applications came out regularly, often with significant changes. The designers and marketers of the apps quite appropriately saw these as improvements and upgrades, but for end users, it was yet more change – new things to learn in the middle of an already busy week. Forty years later, most users of modern office applications like Microsoft Word still do not use it beyond ten percent of its capabilities.
Dealing with the Fear of Change
My company was not about the software per se. It was about helping people understand how to deal with their fear of change. Our clients were employees, managers, even executives, working at banks, head offices, government departments, and more. Many of them were well along in their career track, and were suddenly feeling that a whole new world had opened up, one that had been expressly designed for people other than them, people who innately understood the computer ethos – people that society now called computer savvy . Their fear was palpable. They were saying, “If I screw up on this, I’ll lose my job.”
Back then, the primary question was “why?” as in, “why do I have to press all these keys to print a document? Why isn’t there simply a key on my keyboard marked print?” That was a fair question. Another fair question was, “why do I have to save this document, and what happens if I forget?”
Today’s generation of fearful employees ask similarly valid questions, like “why do I have to change my password so often?” and “what is Artificial Intelligence going to do to my job?” These may sound like tech support questions, but they’re not. They’re people-support questions. They are not asking “how do I do this?” They are asking “why do I have to do this?” That switches up the dynamic from a learning situation to a change management one.
Change is not welcome in the dark recesses of the brain, and as such there will always be resistance to it. Effective management of change requires that we follow a careful pattern that allows habits to transform in league with emotional acceptance. The speed by which that first digital transformation happened back in the 1990s showed that time is not a commodity willingly shared in large amounts, and since then, the pace has only accelerated.
Even today, the fear doesn’t always manifest itself as a fear of the technology. Sometimes it’s just about the time it takes to learn it, as in: “I have been keeping track of my tasks in a way that works for me and now you want me to join a team-based, cloud-based collaboration tool? Why should I do that when what I have works perfectly well?” The answer doesn’t even need words – just that kind of eye contact held just one second too long that says, “you’re not part of this team.”
The Curse of Passwords
People have never been good with passwords. Ever. There was once an expression that said, “your password history is an accidental diary of your life,” since so many people created passwords out of names and phrases that were important to them at a particular moment in their life. Over the years, these tended to evolve along with life’s priorities, but they left behind two legacies: a trail of memories for the owner, and a cornucopia of riches for cyberthieves.
These days, people still choose passwords that are easy to remember, such as family names, superheroes, sports teams, celebrities, or simple words and number combinations. These, naturally, are far easier to remember. Forgetting a password is a cause of fear unto itself, even if it is simply due to the anticipation of having to go and find the password from wherever it is written down, or to do one of those tedious “forgot your password?” exercises. And, of course, because they are easy to remember, the temptation is to use these same passwords on many different sites.
So when the request comes around from the IT department for employees to change their passwords, many will simply do one of the following:
(a) Choose another frequently-used and easy-to-remember password.
(b) Add a digit to the existing password, so that maryjane now becomes maryjane1.
(c) Change their password in accordance with IT’s request and then change it back as soon as no one is looking.
According to research conducted by cybersecurity firm My1Login in 2021, two thirds (62 percent) of employees share passwords between business and personal accounts. Apparently, the problem is particularly bad in the healthcare and education sectors, where the survey found especially high rates of password reuse, at 94 percent and 91 percent of employees, respectively.
The My1Login report goes on to show that 85 percent of employees who have received security training in the workplace continue to reuse their passwords. Even 78 percent of those employees who said they had received “a lot” of cybersecurity training were found to still reuse their passwords.1
Any one of a thousand research reports written before or since could have been inserted here in place of the My1Login report, and they will all say the same thing: people in general are really bad at password management. They might know what a strong password should look like, and they also might know that they shouldn’t reuse their passwords, but that doesn’t mean that they are actually obeying the rules. Something is stopping them.
This is so bad. Weak passwords make for easy pickings among cybercriminals. Words that are easy to guess, like sunshine or password are prime targets for dictionary attacks, in which hundreds of thousands of words are sprayed at millions of password login screens, in a perpetual, and sufficiently successful play at beating the odds.
Cybercriminals also know the old trick of replacing certain letters with digits, like replacing the letter i in sunshine with a number 1 – sunsh1ne, or the e with a number 3 – sunshin3 or both – sunsh1n3. These, too, are easy for cybercriminals to anticipate, because they spring from the same source: human beings – people who don’t want to work hard at creating difficult passwords.
Because of the penchant for creating and then re-using easy passwords, every data breach becomes a goldmine of potentially still-valid passwords for bad actors to use to get in elsewhere. Out there in the cyber-underworld, there are algorithms, bots, and humans who spend all-day, every day, working to apply stolen passwords to any and every login they can find, and often, they succeed. There are others that troll social media sites looking for names of pets, kids, and famous people in order to guess password combinations and spray them everywhere.
When a breach happens, it is common for large companies seeking to avoid a class action lawsuit to offer token compensation in the form of two years of free credit monitoring, or two years of free ID theft protection from a well-known security software brand. But as Will Gregorian, Head of Security and Technical Operations at Rhino suggests, the smart cybercrime organizations simply hold these stolen passwords until the two-year free service expires. The number of victims who choose to renew the credit or security monitoring will be significantly lower than the overall number of stolen passwords that remain active.2 Time makes for great dividends for the criminals.
Poor password hygiene is a significant speed bump on the road to successful digital transformation. It alone has been and will continue to be responsible for billions of dollars in stolen funds, ransomware payments, shutdowns, litigation, time wasted, lives altered, and even death, and will be until the day the activity of logging into a protected space becomes human-proof.
Death? Yes. Here’s just one example: According to papers filed in June 2020, the mother of a child who was born and later died in a Mobile, Alabama hospital, accused the hospital and its owners of failing to mitigate the effects of a cyber-attack which prevented fetal heart rate monitors from operating and hence led to the child’s death. According to the Wall Street Journal, medical staff could not access the child’s vital information, since the displays had been locked by ransomware. The hospital denied any wrongdoing.3
Why are people so bad with passwords? There are two reasons, both equally important, and both based to a great degree in fear.
The Comfort of Passwords
The first is that for the average user there is comfort in using familiar passwords. There’s solace in the notion that we will not forget a password, even if it is in reality quite weak. It still feels better than creating more complex, unpredictable ones. Feeling better is more emotionally appealing than doing something that we know is safer but that is still uncomfortable to undertake.
Using familiar passwords is the digital equivalent of leaving the house key under the doormat, or the car keys in the car. Some might say it’s on par with leaving the car running while you duck into a convenience store. Being able to remember an easy password seems to be one less thing to worry about, even though, in reality it should give you one million more things to worry about.
The Fear of Effort
The second reason people are bad with passwords is the fear of effort. It takes effort to think up new passwords and write them somewhere, especially if they are unusual. If they are not easy turns of phrase, then they’re not easy at all. Maryhadalittlelamb is an easy-to-remember password, but that’s what makes it easy to guess because it’s a well-known nursery rhyme that has been heard or spoken by millions of people. These types of phrases can be sprayed at login pages, paired with hundreds of millions of stolen passwords.
The odds of a match may be slim, but they are not zero. Even a one ten-thousandth of one percent return can generate revenue that far exceeds the cost of running the criminal operation. The overall effort is minimal, making the rewards disproportionately worthwhile.
Some security experts suggest using unusual combinations of words that cannot be easily guessed, and that also incorporate unusual spellings. So a better password to replace Maryhadalittlelamb would be marymotorcyclepurplejam, since it has no logical structure as a sentence.
An even better variation would be marymortoxycleppljm since this now uses wildly misspelled words. An even better version would be mary$ortoXycl4pplj& since it adds caps, numbers, and other characters.
But who is going to be able to remember any of these variations? Even if you were to write this complex password down on paper, who has the time or patience to retrieve it and key it in correctly? That, too, requires effort, and the human limbic system does not like to spend energy on extraneous activities.
The actions of either looking up a password, or trying to remember it, or of keying it in and potentially getting the password wrong and having to start over – these all cause delay, and create frustration and generally hinder people’s momentum, even if just for a few minutes. Even just thinking about it is off-putting. Let’s face it, it’s a hassle, and no one likes a hassle. It’s enough to scare people away, back to the comfort of simpler words, like 111111 or qwerty, or 1234567, or password, all of which occupied the list of 2021’s top ten most common passwords.4
Not only is it a hassle, it’s also a consumer turn-off. Steve Zurier, quoting a study on password resets conducted by the security firm Beyond Identity, shows that “48 percent of consumers say it’s ‘very likely’ they would abandon a website when told a new password cannot be the same as their old password.” Another 25 percent would ‘likely’ abandon a shopping cart, if prompted to update their password on checkout.
The article and study quotes Jing Gu, who summarizes the problem succinctly: “The password is a revenue problem. When customers drop off, you can lose them forever.”5
The Fear of the Password Manager
Enter the password management software app – a linchpin of the digital transformation universe. It delivers the cyberhygiene vaccine – a carefully constructed defense against a virulent enemy.
Password managers replace those too-easy word combinations like youandme123 with virtually impossible-to-crack, randomly generated strings of characters, numbers, and symbols to create passwords like ajR6@5Y^. These generated passwords look like gibberish because they are – to humans at least.
There is no word hashed or hidden inside this string. With a total of 80 possible characters (from a-z, 0-9, punctuation and uppercase) available to select for each position, even an eight-character password – the smallest number of characters generally considered worthwhile for password security, results in a number of potential combinations that exceeds a quadrillion. When a 16 character password based on 80 characters is used, that becomes (80)16 or 2.81474976710656e+30 which exceeds a nonillion. Yes, that’s what the number (80)16 is called, or so people on reddit tell me.
Yes, on occasion, the media does report on a person who is able to hack 16-character passwords, but these are often proof-of-concept demonstrations that involve chaining supercomputers together and using dictionary-only words and tricks like the Markov technique that incorporates predictable variables. These exercises also involve focusing on passwords with digits and lower case characters only – no punctuation or mixed case, which makes the field of variables much smaller.
The truth is that any password can be broken given enough time and resources, and this will be an even more significant problem when quantum computing becomes more widespread. This is a fast-approaching reality that cybersecurity specialists are calling Y2Q. The goal of creating strong passwords is not to make them infinitely, eternally invincible, but to make them too much of a hassle for hackers to want to confront.
So why aren’t password managers more enthusiastically embraced by the general public? It’s not the effort of having to learn another new software app that’s the problem generally; it’s that a user must relinquish control over their passwords. Very few people have the ability to memorize eight or sixteen random characters. Only the app can do that. And the app doesn’t memorize it as a single string. It breaks it up, and inserts additional characters, called hashing, to effectively hide the password inside more randomness, until the moment the password owner logs into the password manager app and effectively “unscrambles the scrambled eggs.”
This makes complete logical sense. It makes passwords harder to crack. But for most average computer users, it makes no practical sense. This type of logic gets easily overruled by fear: the fear of giving up control over their passwords and letting a machine take them over. It’s about letting go of actual memorable words and allowing an app to generate passwords that their owners could not possibly hope to memorize. That is a huge leap of faith.
Managing the Fear of the Password Manager
One of the most efficient ways to deliver facts about password manager software would be to let people try it out, in person, safely, on a computer that is not connected to anything important – a sandbox type situation. Give them a physical hands-on experience in a place where they feel safe and where any mistakes they make are harmless.
Giving people a place to try out the password management software is an example of letting the facts meet the fear. They can press the buttons, read the menus, learn how to add passwords, update passwords, and they can ask those what if questions: “What if I break something? What if I forget how to set a password? What if the password manager loses my password?”
They can open the password manager vault and see where and how passwords are stored, and reassure themselves that the passwords are indeed real and can be accessed at any time. That is what actual training is supposed to do – transfer skills from one person to another. The practical facts paired with hands-on experience deliver a tangible familiarity which translates to logical knowledge and emotional comfort which together can defeat the fear of this particular unknown.
Put the change into context: Focus on the fact that we have been using passwords for years now and that the password manager is just one more step along the way, keeping pace with advancing threats to password safety. Bring in examples of where invisible password managers are already being used inside tap debit cards, coded car ignition key fobs, and the ability to unlock your phone through facial ID. These are all examples of computers doing the secret processing for us.
Add a little perspective: Show what’s really going on out there. Demonstrate how many active cybercrime-related activities are happening every second, using visual real-time maps of DDoS attacks. Pull up a list of well-known companies that have suffered data breaches, and lists of commonly guessed passwords. Use a website such as HaveIBeenPwned.com to perform a real-time search of a person’s email or phone number to show whether they have already been unwittingly involved in a data breach.6 Graphics, visuals, and lists of recognizable names and passwords go a long way in making the threat of cybercrime real and bringing it home. This last point is quite important, because one of the key weaknesses of cyber defense is that the threats never seem tangible enough to end users or even to companies that consider themselves too small and insignificant to matter.
The Fear of the Hot Desk
As organizations start to assess their post-pandemic digital futures, they are having to contemplate a new normal that includes an entirely new working dynamic: the hybrid workspace, in which employees work some of the time in the office and some of the time at home. This in turn is forcing companies to reassess their office layouts, since a great many desks, workstations, and cubicles will go largely unused, creating a lot of expensive empty space.
One solution to this is the idea of hot desking, also called hoteling. This refers to a simple desk-by-the-day or desk-on-demand concept, in which hybrid work employees can reserve a workspace for the day or days that they come into the office. Sounds simple enough.
But if there is one item in a workplace that presents an image of consistency and grounding for an employee of any rank, it is their own desk, whether in an office, cubicle, or open space layout. It’s a personal space, a unique location that answers the instinctive need for safety and shelter and for an unchanging, consistent environment in which to survive the workday. It becomes a person’s private territory, which they will demarcate with a photo or two and some other personal memorabilia. These items not only declare that the space as theirs, more importantly, they also declare that it is not anybody else’s.
As such, there will be a great many people who will naturally resist the idea of hoteling. For them, it removes one more layer of comfort. It presents them with a sense of not knowing where their workplace home base will be from day to day. It is easy to observe, for example, how people like to choose the same non-reserved parking space each day, the same seat in a food court or cafeteria, and when attending two-day or multi-day courses or workshops, how they will return to that same seat on day two, and how finding another person occupying that space can result in annoyance or discomfort.
The comfort that comes from consistency and knowing where your safe space will be, sits on those fundamental foundation layers of Maslow’s Hierarchy. The introduction of a new variable is bound to cause discomfort among a significant proportion of any workforce.
But let’s look at other areas where progress has been made in the hoteling concept. First, there’s the hotel itself, which has been a part of human culture for centuries. No matter what price range you look at, from the most opulent to the most humble, a cardinal rule of hoteliery is that a guest’s room should appear as if no one else has ever stayed in it previously.
This is an impossibility of course, but a fundamental element of the sense of comfort that every hotel, inn, B&B, and AirBnB is supposed to deliver is that in those first few moments, as the guest enters the room for the first time, no one else’s presence remains: no belongings left behind and no impressions on the bed. Everything must deliver a clear message – this room belongs to the guest and no one else. It’s not just about the furnishings – it’s about privacy, territory, and safety.
More recently, there is the car sharing model, which continues to expand year over year, both in user bases and revenue, surpassing USD 2 billion in value in 2020 and is anticipated to grow at over 20 percent year over year.7
The key success factors of the car-by-the-hour model are varied, and represent a more natural transformation than does hot desking. It has proven most popular in cities, where the cost of operating and storing a car have become prohibitive and unnecessary. The ease of reserving, paying for, and unlocking the car have been made far easier through phone-based app technology, and additionally, there has been a significant cultural shift over the past decade with younger consumers not purchasing cars outright at the rate that their parents did.
Significantly, car sharing was not imposed upon people as a forced change; it emerged as an innovation, an improvement over a dated and cumbersome car rental industry, a digital transformation solution whose benefit statement was clear, and which consequently had a very low fear barrier.
It is easy to envision, however, how easily the fear and resistance indicators would climb if any regional or national government mandated car sharing as compulsory. This type of pushback is visible in current policy initiatives such as the phasing out of gas powered vehicles, as many countries and some U.S. states are indeed doing, or attempting to do.
But at the end of the day, a major part of the success of car sharing will be that the cars appeared pristine and “unused” for each customer.
Office workers who are facing the concept of hoteling or hot desking for the first time will have similar territorial concerns. These include a sense of a loss of privacy for themselves as well as for their possessions as well as the distaste for occupying a space that has clearly been used by someone else. There will need to be a significant deployment of hotel management skills factored into an office hoteling workspace, including cleanup and hygiene skills assigned either to individual users of the desks or specialist cleaning staff, as the case may be.
Beyond the territoriality and cleanliness issues, there may also be technical challenges around connecting to the office network from a temporary desk, which might be more of a challenge than simply obtaining the office Wi-Fi code or physically connecting to the network. There will be emotional issues as well, as people deal with genuine sentimental attachments to specific desks or locations.
There will also be a sense among employees who have worked at a specific desk for many years that a hot desking floor is not a “real working environment,” and who will therefore not take it seriously, at least at first.
There are those who point out that communal desks and work areas help eliminate silos and foster creativity and the exchange of ideas. This is something that has been experimented with for decades – the open concept office environment, paired with a culture that allows and encourages impromptu discussions and the sharing of ideas. This is an ideal working scenario but one that has faced significant resistance, both consciously and unconsciously from the workforce itself.
But there are also people who believe that splitting up groups or zones of workers will do more damage to productivity and morale, since the proximity of people involved in the same department or on the same project allows for focus and collective momentum.
But these are all attitudes carved from a different era, the pre-pandemic era, in which mobile collaboration simply wasn’t a thing yet. Hoteling will likely grow to be commonplace. In the same way that commuters seldom get the same seat on the train or bus each day, or do not get to choose which elevator takes them to their floor, or which boardroom is available for a meeting, the idea of a reserved desk-for-the-day has a good chance of becoming a reality, especially for workers who use it just once or twice a week. Like the Roomba and the Alexa, it will eventually become just “a thing.”
But in the meantime, the challenge for those who manage the booking for desks in this way will be to either ensure the booking system is equitable, effectively banning someone from placing a year-long reservation on a specific desk, or to factor that very same feature in as a benefit.
Some people may not care which desk they get. They will bring their possessions in with them, lay them out on the desk, and collect them back up at the end of the day, and give it no more thought than they would to which meeting room they are able to book for a meeting.
The challenge will simply be one of managing this new approach to work. It is not a simple lift-and-shift, but will require some degree of expertise and guidance, perhaps pulled from those who have been doing it successfully: airlines, hotels, and car share companies.
The Fear of Losing Identity
Although the idea of working from home is a welcome development for certain employees, for others, not performing their job in a formalized place of work diminishes its legitimacy, and consequently they may feel, the legitimacy of themselves as professionals.
Managers, for example, define themselves and their role largely in terms of face-to-face interactions with their team. Many managers believe it is not possible to do this when some or all of the team are working from home, out of sight for much of the time, and seemingly unavailable for a spontaneous chat. This is starting to create crises of trust and of self-confidence among managers. Studies, such as one conducted by Anita Keller, Assistant Professor of Organizational Psychology, University of Groningen (Netherlands), Sharon K. Parker, and Caroline Knight, both of Curtin University (Perth, Australia), published in the Harvard Business Review in June 2020, shows that some managers have trouble trusting employees who work from home, and that they also do not believe they have the ability to manage them properly. This is resulting in, in some cases, the use of close monitoring techniques, including spycams and keystroke monitors, along with the reinforcement of an “always on” culture, in which it is expected that employees be visible at their home desks, and be willing to answer messages and texts at pretty much any time of day or evening.8
For managers and non-managers alike, identity is defined by presence amongst others. Hairstyle, clothing, cubicle décor, even the food choices people make all serve to define a person, simultaneously distinguishing them as an individual, while reinforcing their connection to a group.
Individual identity is also reinforced through the act of commuting. For years, people have complained about the effort and cost involved in traveling to and from the workplace, but it has also stood as a space within the day that is – or at least can be – a moment of solitude – a patch of me time that stands comfortably between work life and home life. Despite the inconveniences of heavy traffic and crowded trains, it forms part of a self-defining ritual, an opportunity for decompression, ideally out of reach of managers, customers, and the kids. It is much easier to decompress in a train surrounded by strangers than it is at home surrounded by family.
This chapter, then, essentially contains vignettes – encapsulations of fears around software, passwords, workplace, and professional identity. They all share the common root of threatening to dislodge a person from the perceived security of their work, even if on the surface, it simply looks like they are just reacting to a new process. The antidote to this particular toxin will always be facts, knowledge, hands-on experience. In other words, bringing facts up to meet the fear. Because at the root of fear itself is the unknown.