The majority of data breaches leverage a weak, reused, or stolen password, according to a report from LastPass. Here are some of the ways employees are compromising their passwords.
The average business employee must keep track of 191 passwords, according to a report from password management firm LastPass, released Wednesday. That's seven times higher than standard industry reports, which report the average is 27 passwords. It's also a potential security concern, as 81% of all confirmed data breaches are due to weak, reused, or stolen passwords, a recent Verizon report found.
People often underestimate the number of accounts they actually have, according to the report. For example, marketing professionals use several advertising and analytics platforms, while systems administrators manage different services, and sales representatives set up demo accounts on a regular basis.
The average 250-employee company has 47,750 total passwords in use, the report found.
"Beyond the enterprise-level apps that are standardized across a business, individual employees have dozens more, whether they use them once a year or every day," the report stated. "When credentials are systematically collected and organized in one place, a more accurate picture emerges."
SEE: Password Management Policy (Tech Pro Research)
LastPass analyzed customer data from over 30,000 companies using LastPass for the report. The average employee starts with 20 credentials in their password vault, and doubled that number after only three months, they found. The sheer volume of accounts and passwords needed leads some 61% of people to use the same or a similar password everywhere, despite knowing that it's not a secure practice, a previous LastPass report found.
The average employee types out credentials to authenticate to their websites and apps 154 times per month, according to the report. They also share about four passwords with others, for things like branded social media accounts or server configurations.
Only 27% of businesses have enabled multi-factor authentication to protect their password vaults, LastPass found. "While we're seeing that a significant portion of businesses are investing in multi-factor authentication, it is not yet adopted widely enough to compensate for the shortcomings of passwords," the report stated.
It's likely that multi-factor authentication will continue to increase in the enterprise in the coming years, driven in part by employees that use those methods as consumers bringing them to the workplace, the report noted.
Some experts have predicted that passwords as we currently know them—a string of letters, numbers and special characters—will fall by the wayside in the next three to five years, in favor of more biometric solutions and even hardware keys.
In the meantime, several traditional password best practices have recently been changed. Bill Burr, who originally published password standards as we know them, recently said that many of the password rules he came up with were actually not that helpful. For example, the requirement of using a letter, a number, an uppercase, and a special character isn't useful, and neither is the recommendation of changing your password every 90 days.
Instead, long, easy-to-remember phrases make the best passwords, Burr said. It is also recommended that users only be required to change their password if a breach has been suspected or confirmed.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
- The average business employee must keep track of 191 passwords. -LastPass, 2017
- The average employee types out credentials to authenticate to their websites and apps 154 times per month. -LastPass, 2017
- Only 27% of businesses have enabled multi-factor authentication to protect their password vaults. -LastPass, 2017
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)
- Report: 19% of business passwords 'easily compromised' (TechRepublic)
- The dumbest passwords people still use (ZDNet)
- How to create stronger passwords by using data-driven feedback (TechRepublic)
- Unhackable: Personal Cyber Security Course (TechRepublic Academy)