A survey of more than 1,000 professionals reveals that most think their work password practices are secure, but the reality of the situation is anything but. Nearly half admit to password sharing, more than a third say they write their passwords on paper, and one in four said they still have access to accounts from past jobs.
The survey, performed by passwordless security company Beyond Identity, suggests a need for businesses to tighten up their password policies, but with an important caveat: Making the process too laborious for employees means that they’ll just find a way to circumvent the rules. With 45.6% of respondents saying they believe strict password policies hamper productivity, there’s a good reason to ensure a balance is struck.
SEE: Security incident response policy (TechRepublic Premium)
As mentioned above, more than a third of respondents admit to writing passwords down on paper, but they aren’t in the majority: 38.1% use a secure password manager, and 25.9% say they don’t store their passwords at all. As Beyond Identity points out, password managers are a good way to remember passwords for those concerned about forgetting, but they’re still hackable. One break in is all an attacker needs to gain access to a person’s entire library of password-protected accounts.
As for password sharing, 41.7% said they have shared workplace passwords, with employees at midsized companies (50-249 people) most likely to do so. Of those who share passwords, 66.2% share them with coworkers, and just over a third share them with family members or significant others. The most common method of sharing passwords is via email.
Another problem stems from the amount of passwords that are reused. Twenty-six percent said their personal email has the same password as their work account, 21.5% have an identical work account and bank login, and 17.8% report that their social media accounts share credentials with work.
Most employees (72.9%) said they think their employer’s password policy is “about right,” but when considered alongside the other statistics from the survey it seems they may not be. To be clear, the problem isn’t confined to employees with bad habits compromising workplaces: It’s an IT problem as well.
If a full quarter of employees still have access to accounts from previous jobs, better termination policies need to be in place, and businesses need to be sure they’re strictly adhered to. Password management policies need to be in place and adhered to as well, and two-factor authentication should be enforced to help prevent password sharing. It’s also a good idea to implement a zero-trust security model to prevent compromised accounts from being used by an attacker to move laterally inside the network.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Lastly, organizations should consider going passwordless. Prior studies have indicated that more than half of IT professionals think passwordless logins would improve organizational security, as well as eliminate hassles for employees. As Beyond Identity’s data suggests, anything that makes work easier for employees is likely to have a net positive for organizational security as well.