Race weekend login hygiene: what IAM teams should take from it

TL;DR: Phishing remains a major race weekend security risk, according to 1Password research, with 89% of surveyed American adults having encountered phishing and 61% having been phished, and emotional urgency the biggest scam factor. The editorial lesson is broader: rushed sign-ins, reused passwords, and shared credentials turn convenience moments into identity risk.

NHIMG editorial — based on content published by 1Password: a race-weekend security checklist for logins, sharing, and device access

By the numbers:

• 89% said they have encountered phishing, and 61% said they have been phished.
• 76% of Americans who have fallen victim to a shopping scam still reuse passwords across multiple accounts.
• 59% of suspected phishing shows up in texts and 59% in emails, while 49% appears in phone calls.

Questions worth separating out

Q: How should organisations reduce phishing risk when users are under time pressure?

A: Organisations should reduce the number of rushed trust decisions users must make.

Q: Why do reused passwords create outsized identity risk?

A: Reused passwords turn one exposed credential into access across multiple accounts.

Q: How can security teams handle shared accounts without losing control?

A: Teams should replace informal password sharing with managed access paths that can be audited, limited, and revoked.

Practitioner guidance

• Reduce urgency at sign-in points Prioritise login and recovery flows that slow users down just enough to check URLs, confirm account ownership, and avoid credential entry on suspicious pages.
• Eliminate informal credential sharing Move shared logins out of texts, screenshots, and notes, then put them behind managed vault access or delegated account controls that can be reviewed and revoked.
• Baseline the devices users actually use Test password manager sync, account recovery, and verification prompts across phones, laptops, and browsers before peak-use periods.

What's in the full article

1Password's full article covers the practical checklist this post intentionally leaves at the summary level:

• The step-by-step pre-race password inspection routine for weak, reused, and breached logins.
• The exact priority order for securing email, travel, banking, ticketing, and streaming accounts.
• The sharing workflow that keeps credentials out of texts, screenshots, and notes.
• The multi-device sign-in checklist for phone, laptop, email, tickets, and streaming access.

👉 Read 1Password's checklist for race-weekend login hygiene →

Race weekend login hygiene: what IAM teams should take from it?

Explore further

View Full Forum →  |  NHI Foundation Course →