Organizations fail at the single most important security step. According to new research from OneLogin, most IT decision makers aren’t doing enough to ensure strong passwords in their company. Maybe worse, these same IT decision makers think that all is well, when in reality, that isn’t the case.
The good news is that almost everyone surveyed, 93 percent, said guidelines are in place to address password complexity and 87 percent said they have sufficient password protection policies in place.
However, only about half of these organizations require employees to follow these guidelines and too many companies aren’t doing enough to enforce basic password requirements.
A second password survey, this one conducted by Dashlane, reinforced these findings, as it discovered that employees are doing their own thing when it comes to password creation and password policies aren’t enforced. Again, nearly half (46 percent) use personal passwords to access corporate data and networks. Chances are that these are passwords that are used for any range of sites and points of access and risk having been part of some previous data breach. And then there is the risk involved with software vulnerabilities that can reveal passwords.
If your employees are using personal passwords for work, they increase the risk of your company data becoming compromised. I agree with the point made by Emmanuel Schalit, CEO of Dashlane, quoted by The Street:
Most data breaches are because of poor password habits — using the same, weak passwords like 'admin,' as shown in the Equifax breach. Strong, unique passwords are absolutely necessary to prevent cyberattacks and using a password manager is the only way for every employee to protect company and customer data.
It’s time to admit that passwords alone aren’t a good security solution anymore. The most obvious solution to the password conundrum is multi-factor authentication (MFA), but as Alvaro Hoyos, chief information security officer with OneLogin, pointed out in a formal statement, you can’t just pick any multi-factor solution and expect that to be a quick fix:
For example, one-time passwords (OTPs) sent over SMS are easier to compromise than other authentication factors. Modern MFA ensures that OTPs cannot be stolen or re-routed to a hacker-controlled account. Several solutions also evaluate additional data attributes surrounding the MFA request to make a more informed decision on whether it’s legitimate.
For me, writing about passwords is almost like writing about phishing. These aren’t new security issues, and you’d think that we’d be further along in our awareness. Unless something comes along that truly eliminates the need for passwords, or IT departments begin to enforce password policies, or employees get smarter about password use, I expect, like phishing, I’ll continue to be covering the security problems of this authentication method for a very long time.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba