Despite high profile breaches continuing to make headlines, weak passwords remain an issue for enterprises worldwide, leading to breaches and other security issues. An average of 19% of enterprise professionals use poor quality passwords or shared passwords that make their accounts "easily compromised," according to a new report from security firm Preempt.
Some 7% of enterprise users use an "extremely weak" password that has appeared on lists of previous password breaches—think using the word "password" or "123456." Meanwhile, about 13% of business professionals use passwords that they share with other users and teams, and between different accounts.
Further, businesses with a high percentage of compromised passwords also had a high percentage of shared passwords, the report found, pointing to company-wide issues enforcing security standards.
This number may seem low compared to another recent Preempt report that found 35% of LinkedIn users—more than 63 million people—employ common passwords, or reuse passwords, putting them at risk for cyber attacks.
SEE: Ethical Password Hacking and Security (TechRepublic Academy)
"A possible explanation is that Microsoft password length and complexity requirements force users to avoid some of the weakest passwords," wrote Yaron Ziner, a senior researcher at Preempt and the author of the report. "For example, the 25 most common passwords in the LinkedIn password dataset will not comply with basic password complexity requirements (we should note that even complex passwords can be weak if they are on a password list)."
Preempt collected password statistics from a mix of small, medium, and large organizations representing several countries.
Another factor impacting security measures was the size of the company: The larger the organization, the more secure their employee's passwords tended to be, the report found. About 2% of large organizations had weak passwords, compared with nearly 20% of medium-sized businesses and 37% of small enterprises.
"This is not surprising," Ziner wrote. "It is safe to assume that large organizations have a dedicated security team that is in charge of IT security, educates users and sets strict password complexity requirements."
US-based companies tended to have better password quality than non-US organizations by a large margin, Preempt found: While about 13% of US enterprises overall used weak passwords, 25% of non-US companies did. Awareness of potential cyber attacks and credit theft tends to be greater in the US than in other nations, the report noted, possibly accounting for this difference.
SEE: Password Policy (Tech Pro Research)
These numbers should remind all organizations to inform employees about practicing password hygiene, including creating passwords that are more than 10 characters, that avoid common ULSD patterns, and that are changed frequently, the past Preempt report about LinkedIn recommended.
"Enterprises must assume that there is always going to be one employee that may compromise the organization online," Ajit Sancheti, CEO and co-founder of Preempt, previously told TechRepublic. "Unfortunately, no amount of education can prevent this, so it is important to focus attention and resources on defense."
Sancheti recommended that enterprises do the following:
1. Instruct employees to not reuse passwords, ever.
2. Remind employees to not click on links in emails, unless they are sure they know the sender. They should also not go to any banking or financial site through an emailed link.
3. Enforce penalties for unsafe or irresponsible actions while using a work device.
4. Offer continuous education on cyber hygiene.
- 6 common enterprise cybersecurity threats and how to avoid them (TechRepublic)
- How to share access to your organization's domain, email, and passwords (TechRepublic)
- How hackers can hijack brainwaves to capture your passwords (ZDNet)
- IBM reveals 5 methods hackers use to steal your tax info and 6 ways to protect yourself (TechRepublic)
- The guide to password security (and why you should care) (CNET)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.