LastPass has released The Password Exposé report, highlighting the challenges of using passwords in the workplace.
According to the report, the standard approach to password security in the workplace has failed, and businesses aren’t responding to that failure quick enough.
“For most people, the fear of forgetting a password far outweighs the seemingly remote risk of getting hacked,” the group said.
According to its data – from analysing an anonymised data from over 30,000 companies – 91% of employees understand that there is great risk involved with reusing passwords, yet 61% continue to reuse passwords anyway.
“Whether passwords are old, weak, reused, or compromised – password mismanagement is the leading cause of breaches. With over 4.2 billion credentials leaked in 2016 alone, attackers can easily use stolen passwords to access a corporate network and steal data,” the group said.
“Just one reused password can compromise an entire organization.”
LastPass said that passwords are a core part of an employee’s daily workflow, and it was time to look past assumptions and face the fact. To that end, it provided “8 truths” about employee passwords that companies need to know:
1. Passwords are everyone’s problem
LastPass estimates that the average 250-employee company will have around 47,750 passwords used across the entire organisation.
That creates 47,750 possible entry points into the company’s systems – and no one can know the strength of each one.
“The numbers don’t lie – passwords are out of control,” it said.
2. Employees are overwhelmed by passwords
According to LastPass’ data, the average employee has to keep track of around 191 passwords. Industry standards point to a lower number (27), but the group said that people tend to underestimate the number of accounts they have online.
Marketers have passwords for a large number of analytics platforms, admins gave passwords for each server they manage etc.
This is not including the personal accounts each employee has.
3. Passwords are a compounding problem
While employees start off with around 20 passwords stored up in their vaults, this doubles within three months, LastPass said.
This has led to 61% of people using the same or similar password across the net.
“Employees are drowning in passwords right now. And it’s a problem that continues to worsen in the course of their day-to-day work,” it said.
4. Employees are constantly logging in
On average, an employee must type out credentials to authenticate to their websites and apps 154 times a month.
Pushing the data further, LastPass said that the average employee spends 36 minutes a month just typing in passwords – not including recovery processes which eats away even more time.
“Employees are suffering from password-related inefficiencies, which translate directly to a company’s bottom line.”
5. Approved or not, password sharing is common
On average, an employee shares about 4 items with others, according to LastPass’ data.
Common security advice is to keep passwords private – in the workplace, though, sharing of credentials and other sensitive data is also an essential part of getting the job done.
From branded social media accounts managed by marketing to server configurations managed by IT, employees from all departments need to share passwords.
6. It’s a blurry line between personal and business passwords
There is increasingly a crossover between personal and business applications from big companies (Google, Dropbox, etc), which is blurring the lines between business and personal use.
Employees may be storing business-related information in personal accounts and vice versa, LastPass said.
7. Single sign-on (SSO) is not a one-stop solution for passwords
While many enterprise-grade apps are SSO ready, LastPass’ data shows that over 50% of the most popular websites and services in use do not have out-of-the-box support for SSO.
Either IT teams need to pick up the burden of configuring and deploying these services, or, more likely, employees are left to manage those credentials on their own.
By sacrificing that control and visibility, IT is again leaving those entry points vulnerable to poor password hygiene and employee misuse.
8. Not enough businesses are using multi-factor authentication
Only 26.5% of businesses have enabled multi-factor authentication to protect their password vaults – though the trend is growing.
However, multi-factor authentication doesn’t solve all of your password security challenges, LastPass said.
Unless multi-factor authentication is enabled for every single login in use across the organization (including all 191 in use by the average employee), passwords are often still a low-barrier, high-value target for attackers looking to find a way in.
According to LastPass, companies need to build a better framework for password visibility and control. This includes:
- Randomising every password for every account.
- Rotating passwords when appropriate.
- Applying role-based permissions to passwords.
- Achieving proper oversight and accountability for shared credentials.
- Adding protection with multi-factor authentication wherever possible.
- Decommissioning employee credentials after they leave or change roles.