Managing user passwords is a challenge for any organization and its IT administrators. You need to ensure that such passwords are strong and complex. Yet employees want their passwords to be easy to remember and use, especially if they have to juggle multiple passwords across different applications and systems. Survey results released by OneLogin on Thursday reveal that businesses are following certain good practices of password management, but are ignoring others that could help them handle this challenge more effectively.

Among the 600 IT professionals surveyed in the US and UK, more than 90% said they have guidelines in place for password complexity. Those guidelines can include a minimum length, a mix of uppercase and lowercase characters, the use of numbers, and the use of special characters. Here, the results varied between the two countries. In the US, 72% said they require numbers, while 68% require special characters. But in the UK, only 53% require numbers, while 49% require special characters.

SEE: Password managers: How and why to use them (free PDF) (TechRepublic)

Further, most of the organizations reported that they are failing to take advantage of other password protection methods. Fewer than 35% check against lists of common passwords. Under 20% check passwords against rainbow tables, which hackers use to try to guess plaintext passwords. And under 25% check the strength of passwords through password complexity algorithms.

Certain password protection methods are in use on a wider scale, though some of the results vary by country. Single sign-on is used by 42% of the respondents in the US and 53% in the UK. Multi-factor authentication is employed by 42% in the US but only 30% in the UK. More advanced authentication methods such as SAML-based sign-ons and OAuth are less commonly used but more prevalent in the UK than in the US.

The majority of respondents said that users are required to change their passwords on a regular basis. Most said password resets are done on a quarterly basis, but many said that such resets are required monthly or even more frequently. However, the effectiveness of periodic password resets is open to debate. Even Microsoft has stated that it wants to remove the password expiration requirement in Group Policy for the next version of Windows 10 and Windows Server, arguing that the strategy is counterproductive.

Another challenge faced by IT administrators and users alike is the sheer number of applications that require their own individual passwords. Among the respondents, 41% of those in the US and 31% in the UK said their organization has up to 25 apps that require individual passwords. Even further, 37% in the US and 60% in the UK said they have between 26 and 100 apps that each require their own passwords.

One more challenge highlighted in the study is the time taken to deprovision employees who leave the company. Among the respondents, 28% in the US and 34% in the UK said it takes one working week to deprovision employees, while 21% in the US and 19% in the UK said it could take up to a month. The failure to deprovision employees quickly enough, thus removing their access to sensitive files and other assets, leaves organizations more vulnerable to data breaches and leaks.

“This report should be a reminder to every business leader to carefully review their password practices,” Thomas Pedersen, OneLogin’s chief technology officer and founder, said in a press release. “Cybercriminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords.”

Conducted in the spring of 2019, the survey solicited responses from 300 IT professionals in the US and 300 in the United Kingdom. A full 70% of the respondents identified themselves as being the sole or main decision maker about password policy, while the rest were considered influencers in password policy decisions.