Brits are still failing badly when it comes to password hygiene according to a new study by Beyond Identity. It seems one in four just can’t help themselves when it comes to using the names of their pets, kids or favourite football team. Adding to the problem is that a further 26% admit they don’t use strong and unique passwords for work applications.
Tom Jermoluk, CEO of Beyond Identity, said: “Password security practices are redundant, but users continue to follow these and it’s easy to apportion blame onto the user when ultimately, organisations should stop encouraging password usage.
“Passwords are not a reliable way to protect against attack and it’s about time users recognised the need to move beyond passwords as they are no more than a security liability leaving users vulnerable to attack.”
What does the study tell us about password usage?
In some ways, not a lot that we didn’t already know. People still continue to make basic mistakes with passwords. Bad behaviour is just as common for personal stuff as it is for work. In addition to the findings above, the study revealed:
- 5% say their password has been breached more than 10 times
- 50% admit to reusing passwords
- 14% share passwords with co-workers
- 11% never change their work password
- 24% maintain the same personal passwords
Even when people do change their passwords, they still put themselves at risk in how they store them. That’s because:
- 20% write them down
- 10% store them in .doc files on their computer
- 7% change their password and then email themselves the new password
For security teams, this is a complete nightmare and one that they have tried to resolve with password policies and controls. However, those controls are pointless unless they are enforced and people take notice of them.
But are people really ignoring advice? Yes and no. According to the survey, 91% agree that the security of a password depends on its length and complexity. 87% agreed that changing passwords more regularly made apps safer. Given some of the other findings above, it seems that knowing and doing are two different things.
Given the behaviour above it comes as a surprise that 70% believe their passwords to be very secure. Just a measly 1% said they are “not secure at all”. Interestingly, the largest companies in this survey had over 5,000 employees. As Beyond Identity point out, that means 50 have insecure passwords at any point in time.
Should we still be using passwords?
For companies like Beyond Identity, the answer is no. According to Jermoluk, “Passwords are fundamentally insecure. Whether users regularly change their passwords, or extend the length, it doesn’t matter if your password is 10 or 1000 characters long, or contains numerous symbols – if a user is tricked by a phishing email for example, the complexity of their password is irrelevant. As long as passwords are being used, they will be stolen and breached.”
While Jermoluk is right about the risks from passwords, it’s not so easy for all businesses to phase them out. It takes time, money and the ability to integrate a passwordless solution. Not every organisation, especially small and medium-sized businesses can implement that.
Additionally, when it comes to using cloud-based services, the majority of apps that are available are password only. The good news is that an increasing number are offering multifactor authentication.
What is promising is that employees are prepared to trying something different. The survey shows that 52% would feel more secure using biometrics. In many ways, this is a benefit from mobile phones that have had biometric security for some time, The challenge now is, can businesses add biometrics to their security solutions?
Enterprise Times: What does this mean?
Although this survey only covered 1,000 people, the results will sound familiar to a lot of people. The problem is, we keep talking about password security yet we still seem to get nowhere. However, that may be about to change.
A few weeks ago, Microsoft, Google and Apple agreed to expand their support for FIDO and its passwordless initiatives. That is good news especially as they’ve set a timeline for 2023 to make this happen. Beyond Identity is a FIDO Sponsor. It is well placed, therefore, to implement this move to a passwordless future.
However, it is one thing to phase out passwords in new software and products. It is altogether another challenge to phase them out in existing products. IT departments are unlikely to block cloud-based apps just because they still use passwords. The uproar from their user base would be too difficult to handle. At the same time, many won’t have removed their own password dependencies by 2023.
Further compounding this problem is OT and IoT. Many devices are old and cannot be updated to use non-password mechanisms. How will we handle this? At present, nobody really has an answer to that.
For now, however, we Brits really do need to get our act together and clean up our passwords. If we don’t then there is little comeback when breaches occur.