Bad News: We’re Still Using Weak Passwords

According to the report:

• Employees reuse a password an average of 13 times.
• Businesses with fewer than 1,000 employees had higher rates of password reuse than large enterprises
• Employees at media/advertising organizations had the highest rate of password reuse.

Perhaps the most important statistic to take into consideration: stolen and reused credentials are implicated in 80% of hacking-related breaches.

However, many organizations are failing to take the proper precautions to ensure their employees’ passwords – which are direct access points to confidential company information - are properly secured. Time and time again, employees are either reusing passwords, or using very weak passwords, across multiple accounts – both personally and professionally. In a recent infographic we published, we compared the top 25 worst passwords of 2018 and 2019. Many of the passwords that made the list in 2018 repeated themselves in the 2019 line-up! We see these weak passwords, and we know we shouldn’t use them – yet many do not change their behavior. What’s going on here?

Too Many Passwords, Not Enough Memory

As Last Pass’s report states, large companies (1,001 – 10,000 employees) averaged 25 passwords per employee, while small businesses (1-25 employees) averaged a whopping 85 passwords per employee. Whether the number is 25, 85, or somewhere in between, it’s clear that most people have a lengthy list of credential combinations. The use of weak passwords is frequently attributed to the apathetic employee who is too lazy to bother with an advanced combination when signing in. However, it should be noted that poor password management cannot be solely attributed to an attitude of negligence. Employees may be overwhelmed by their volume or passwords, or perhaps they may not be knowledgeable about what makes a strong password and why reusing passwords across multiple sites is a bad idea. So - what can you do to help the people at your organization practice better password hygiene?

The first step is to establish controls for minimum password length and complexity within the various systems that request credentials from your users. Some applications, such as Microsoft Windows, offer administrators a variety of password policy settings that they can configure to match their organizational security goals. For example – in addition to requiring a complex password, administrators may also choose to configure a setting that forces users to reset their passwords after a certain amount of time has passed.

That being said, businesses should make it a priority to educate employees about what a “strong password” actually entails. Microsoft has published helpful strong password creation recommendations. A good password:

• Is at least 8 characters long
• Doesn’t contain your username, real name, or company name
• Doesn’t contain a complete word
• Is significantly different from previous passwords
• Contains uppercase letters, lowercase letters, numbers, AND symbols

That last bullet point is especially important – the most secure passwords contain a variety of cases, numbers, and symbols. If you don’t want to take the arduous route of memorizing all these complex passwords, and good solution is to utilize a password manger like Last Pass. These password managers work by storing your credentials in a secure vault (accessed through an application or web browser) that you can access with one secure master password.

Added Protection in Multifactor Authentication & Conditional Access

Multifactor authentication (MFA), sometimes referred to as 2FA, strengthens the security of your login by requiring two pieces of evidence broken down into the following categories:

1. Something you know, such as a (strong!) password or PIN
2. Something you have, such as a card or authenticator app
3. Something you are, such as a fingerprint or retina scan

The word multi-factor implies that the two pieces of evidence must come from different categories. While this approach may appear to overcomplicate the login process, by leveraging Conditional Access, users are only prompted for MFA when abnormal or risky behavior is registered. For example – a user accessing their normal computer at work during standard business hours would likely not be prompted with MFA. However, if you’re attempting to access your account from a new device or abnormal location, you could be asked to enter a verification code or scan a QR code to verify your identity.

Simplicity in Single Sign-On

Single Sign-On, or SSO, is a session and user authentication service that allows a user to apply one set of credentials to access multiple applications. As Microsoft states, “With single sign-on, users sign in once with one account to access domain-joined devices, company resources, software as a service (Saas) application, and web applications.” SSO adds both security and convenience, and it’s a good option for minimizing the amount of passwords employees need to remember.

Looking Forward

Encouraging and practicing good password hygiene is critical to improving the security of your organization and its people. However, as change agents, we must acknowledge that the use of passwords to access applications is quickly becoming an antiquated practice. Increasingly, we’re seeing passwords fall to the wayside as a method of authentication, replaced with more secure, more personalized methods: behavior-monitoring wearable devices, fingerprinting, iris recognition, facial scans, and even heart rate authentication.

Are you interested in learning how passwords could become a thing of the past at your organization? Let us show you what that journey could look like. Consider engaging our Digital Transformation experts in an information and engaging 90-minute workshop. Our change agents will present strategies for how you can define what Digital Transformation means for your business, and what you can do to take full advantage of the incredible landscape in which our businesses now reside.