Serg Nvns - Fotolia

Ponemon study: Poor password practices remain rampant

More than two-thirds of employees share passwords with colleagues, research reveals. Experts sound off on what's fueling poor password practices and how to solve the problem.

Despite the increasing concern regarding online privacy and the growing number of security breaches, poor password practices continue to prevail in the enterprise.

According to a new survey from the Ponemon Institute, 69% of respondents admitted to sharing passwords with their colleagues to access accounts and 51% said they reuse an average of five passwords across their business and/or personal accounts. The "2019 State of Password and Authentication Security Behaviors Report" also revealed 55% of respondents said they don't use any form of two-factor authentication at work.

The research, sponsored by authentication vendor Yubico, surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France. The key takeaway from the report, according to Yubico's chief solutions officer Jerrod Chong, is that poor password practices is an industry-wide problem and companies should work together toward finding areas of improvement, Chong said.

"We need to treat the password problem like a sales problem," Chong said. "If we treat it as a commodity that needs to be changed out, then I can tell you all the marketers will put their brains into it."

Francis Dinha, CEO at cybersecurity vendor OpenVPN in Pleasanton, Calif., said the study also shows that users will consistently prioritize convenience over security. "Keeping track of a wide variety of hard-to-remember passwords might be the secure thing to do, but it certainly isn't convenient, and therefore it's often neglected."

While phishing attacks are rampant -- with majority of respondents saying they have fallen victim to such attacks -- 57% of those who have experienced a phishing attack have not changed their password behaviors, the report found.

Keeping track of a wide variety of hard-to-remember passwords might be the secure thing to do, but it certainly isn't convenient, and therefore it's often neglected.
Francis DinhaCEO, OpenVPN

A single phishing email can prove to be detrimental to any organization or individual, said Ben Brown, product specialist at SiteLock, a website security provider based in Scottsdale, Ariz.

These types of poor password practices reinforces that businesses need to implement more aggressive security approaches such as mandatory security training for employees, Brown said in an email interview.

"It is one of the most simple and efficient ways to establish a human firewall within any organization. In fact, many companies are beginning to take this one step further by actively phishing their employees, then delivering additional training to those who click on the phishing link," he said.

The path to stronger authentication

Chong believes companies should support open standards like Web Authentication to help enable a secure authentication method for end users.

In April last year, FIDO Alliance and the World Wide Web Consortium announced a new password-free protocol for the web called Web Authentication (WebAuthn).

"WebAuthn is part of what we call FIDO2; FIDO2 is comprised of WebAuthn and a spec called Client to Authenticator Protocol (CTAP)," said Andrew Shikiar, chief marketing officer at FIDO Alliance. "WebAuthn is an API that websites can use to enable FIDO's approach for user authentication; CTAP is the corresponding protocol from FIDO that allows external authenticators to communicate back to the server or service."

CTAP builds on the prior work in U2F that was popularized by Yubico and others. It also introduces a new use case where the authenticator is not just a security key, but also, for example, "your handset, which can serve as an authenticator to your desktop," he explained.

FIDO is working with Yubico, Google, Microsoft and 200 other companies in creating stronger authentication standards that prevent phishing, account takeovers and other attacks that prey on the weakness inherent to passwords, Shikiar added.

"FIDO leverages public key cryptography to securely authenticate users -- storing a private key safely on the user's device, with the corresponding public key residing on the service provider's server," he said.  "As part of the challenge-response dialogue during authentication there is metadata unique to the website or service that must be present for the private key to complete the authentication process. This -- at a high level -- is what helps prevent well-designed phishing attacks that might not otherwise be apparent to the user."

Poor password hygiene

Reducing the reliance on passwords

The majority of respondents in the Yubico report found managing passwords to be "too difficult." Fifty-seven percent said they would prefer an alternative method to protect their identity and 56% said they would be happy if they didn't need a password to log in to their online accounts.

On average, respondents report having to spend 12.6 minutes each week entering and/or resetting passwords, according to the report. Additionally, enterprises spend over million dollars a year on password reset alone, Shikiar said.

"There are also a lot of usability challenges, which just about everyone can relate to as a consumer," he said. "FIDO's mission has been to reduce reliance on passwords and the shared secret approach to user authentication. We want to have simpler and stronger authentication for users, while also de-risking authentication for businesses."

Organizations can't get rid of passwords overnight, "but we are on the path to getting there," Shikiar said.

"Everything's aligning in the right direction, with the industry support, the product support and the general realization that with things like phishing, account takeovers, credential harvesting and credential stuffing, the industry needs solutions," he said.

While there is support from leading browser vendors, he said, Microsoft is one of the key contributors and backers of FIDO2 and WebAuthn, and this functionality is being built into their core platforms. Windows 10 and Windows Hello, for example, can provide an entirely passwordless authentication experience.

"Microsoft is having great success with upgrading their Windows 10 upgrades -- as that number ticks up, the number of passwordless enterprises will accelerate accordingly," Shikiar said.

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing