Best Practices for Workplace Passwords
IndustryView | 2015
Passwords remain central to cybersecurity, even though they represent a popular target for cybercriminals who are skilled at compromising them. This report will investigate the prevalence of best and worst password practices in the U.S. workplace, and offer recommendations for how businesses can improve their own password practices.
In the wired 21st century, passwords are proliferating at an alarming rate. According to a recent survey, the average person now has 19 passwords to remember.
It’s no surprise, then, that users often succumb to password fatigue and commit such security sins as using passwords based on names or words culled from a dictionary, reusing passwords or writing them down on pieces of paper that are left lying around the office.
Indeed, password fatigue is so widespread that even hackers—who should know better—take shortcuts. Jeremy Hammond, who carried out a devastating assault on security intelligence consultancy Stratfor in 2012, recently told the Associated Press that he thinks law enforcement found the evidence required to convict him because his computer password—the name of his cat plus three numbers, "Chewy123"— was “really weak.”
In short, the password status quo is unsustainable. This is why the industry consortium FIDO (Fast IDentity Online) Alliance was launched in 2013 to reduce reliance on passwords and improve authentication technology.
And Michael Daniel, the White House’s cybersecurity coordinator, says that he “would love to kill the password dead as a primary security method.”
For now, however, users remain stranded in an era of infinitely multiplying passwords. To gauge the extent of the problem and how it affects businesses, as well as to find out what steps businesses are taking to ameliorate the issue, we surveyed U.S. employees on their use of passwords at work. Here’s what we found.
We first wanted to probe employee confidence about the security of their workplace password usage habits. After the much-hyped “Year of the Breach,” just how confident are employees in the strength of their own primary authentication method?
Twenty-nine percent of respondents say their password usage habits are “extremely secure,” while 27 percent opt for “very secure.” This gives us a slim majority of 56 percent who, regardless of last year’s bad news, are confident in the strength of their passwords.
However, a 56 percent confidence rate is hardly reassuring. After all, if only 56 percent of U.S. surgeons were confident that their instruments were clean, millions of people would be far more reluctant to go under the knife for even routine outpatient operations.
Meanwhile, 34 percent of respondents hedge their bets, choosing only “moderately secure.” The rules for strong passwords are hardly secret, and are constantly reiterated at work and in the news (at least eight characters, plus a mix of upper and lowercase letters, symbols and numbers).
Our findings suggest that users either remain unaware of the rules despite the hype, do not believe them to be good advice or simply find them too burdensome, and thus opt for less secure passwords.
The good news is that outright pessimism is rare: Only 3 percent of respondents knowingly use minimally secure passwords, with just 2 percent freely admitting that the passwords they use are outright “not secure.” These individuals are most likely those legendary employees who, whether out of ignorance, indifference, exhaustion or malice, select such password classics as “password” and “1234.”
In a recent survey Software Advice conducted on security professionals, an overwhelming 84 percent say they consider the threat employees pose to businesses to be “underrated.” But this threat need not be intentional—indeed, error, carelessness and inadequate security training likely undermine workplace protection tools far more often than malicious actions by disgruntled employees.
Next, we asked respondents about a variety of “worst practices” to find out how many users commit these password sins at work, and thus put their employers’ data at risk:
The most common sin is password reuse, which 31 percent of respondents admit to. This makes life much easier for cybercriminals: Compromising one low-value account can grant access to other accounts where more valuable information resides.
What is startling, however, is that the figure is so low. According to a November 2014 report by network security provider RSA and the Ponemon Institute, 69 percent of consumers admit to reusing the same password on more than one device or website.
The difference could be attributed to good security training and effective workplace policies. However, the explanation might be even simpler: People tend to have fewer passwords for work, so it is much easier to make them distinct and secure.
The latter is an idea supported by Jeff Multz, director of North America SMB (small to midsize business) sales at Dell SecureWorks. Through his experience traveling the country and talking to businesses about security, Multz finds that “people are more vigilant at work than at home.”
Even so, if nearly one-third of workers admit to reusing passwords, this still represents a large exposure to risk.
Meanwhile, other password sins are less common. Only 10 percent of respondents admit to using “simple” passwords, while a mere 8 percent admit to sharing passwords with colleagues (and only 1 percent admit to sharing them with people outside work).
Here, though, it matters who may be in that 8 percent. If an employee with a high degree of access privileges shares passwords, it can be much more harmful than, for instance, if a member of the marketing department with no access to vital business data does so.
The most surprising result, however, is that only 4 percent admit to writing their passwords down on paper and leaving them visible on desks. Multz says that he observes this practice in his work, although with the occasional twist.
“[One example] I tend to come across is when IT gets a computer back that needs repair, and the user's password is written on the bottom of the keyboard,” he says. While this password is not technically visible, it is also not very secure.
Finally, a virtuous 56 percent report that they never commit any of these common password sins—which matches the number who consider their password usage habits to be either “extremely” or “very secure.”
Thus far, we’ve explored the ways employees view and use passwords. But company culture is also crucial: If management is lax about enforcing best practices, then leadership must share the blame when workers take shortcuts—and perhaps even accept the lion’s share of it.
Here the results are rather alarming. The most obvious thing a business can do is require employees to adopt complex passwords, as the longer and more complicated passwords are, the more secure they become. However, only 54 percent of respondents say their workplaces require them to use complex passwords. This is especially troubling as this security measure can easily be enforced through technology, reducing the need to rely on fallible humans.
Other best practices score even lower: slightly over 51 percent of respondents are required to change their passwords regularly, while a mere 41 percent say they are locked out of their computer after too many failed attempts at entry.
Only 39 percent are forbidden from reusing passwords, while for 29 percent, using the default passwords that come with a system is forbidden. Very few businesses require the use of passphrases (using a phrase or sentence instead of a string of characters, e.g., F.M.DostoevskyWasBornIn1821) which experts generally recommend as being more secure than passwords; however, since this is a rather complicated option, it is not surprising.
The main takeaway is that only two of these best practices score an adoption rate of 50 percent or above, indicating that at the enforcement level, password sloppiness is unacceptably widespread.
User authentication can also be strengthened through tools designed to enhance password security. We next set out to gauge the adoption rates of some of these common password tools.
Experts recommend multi-factor authentication (also known as “second-factor,” “two-factor” or “two-step” authentication) to both businesses and consumers. This enhances password security by requiring the user to provide a second piece of information at sign-in, which is most commonly a randomly generated, one-time code sent via email or text message to authenticate their identity.
Multi-factor authentication protects user data because even if a password is compromised, that information alone is insufficient to grant an intruder access to an account.
Even free consumer products, such as Gmail, are now encouraging customers to adopt multi-factor authentication, and offer it as part of their service. However, very few businesses have adopted the technology. Indeed, a mere 17 percent of respondents report using it at work.
This doesn’t surprise Multz, who stresses that the added cost and complexity of the technology can dissuade businesses. Yet Andre Boysen, chief identity officer at identity network firm SecureKey Technologies, has a different perspective.
Boysen insists that multi-factor authentication is the right answer, but that “we are taking the wrong approach.” The variety of methods for implementing the technology is too wide, he says, and all of them require the user to remember something in addition to the already-inconvenient password. Boysen insists that there needs to be greater “federation”—meaning agreement at a high level on a single system that works for everybody.
“We can’t have everybody in the world using their own authentication scheme,” he notes.
However, regardless of any drawbacks, both Multz and Boysen feel that multi-factor authentication is essential to business security. Boysen in particular stresses the importance of choosing solutions that are as streamlined as possible and do not require users to carry around security accessories, such as “hard tokens,” that generate temporary codes.
“User authentication is a complete burden, but we know that it’s a complete necessity to keep the data safe,” Boysen says.
As for other password enhancers, adoption rates are even lower. For instance, password managers can enable users to manage all of their passwords through a central software application, reducing the number they need to remember to one master password (to access the manager). But even though these applications reduce complexity, a mere 14 percent of respondents report using them at work.
Another simple tool is a random password generator. These generate long, complicated strings of digits and numbers that are difficult (and time-consuming) for hackers to crack. The drawback is that such passwords are also very difficult to remember, and so it is not surprising that businesses and employees seem largely uninterested in them (only 13 percent of respondents use them at work).
Finally, 58 percent of respondents don’t use any supplementary security tools. So for now, at least, the much-abused single sign-on password remains the undisputed champion of workplace identity authentication.
Finally, we were intrigued by the much-hyped biometric alternatives to passwords, such as fingerprints or retinal scans. This technology, which is regularly featured in breathless media pieces about solutions that incorporate it, was hitherto seen only in science fiction movies—but what do current adoption rates look like in the workplace?
The answer: they’re not very high. This is in spite of the fact that we posed this question at a very high level, simply asking if any biometric authentication methods at all were in use. Even in aggregate, a mere 14 percent of respondents report using biometrics at work.
There could be multiple reasons for this—first, cost is an obvious factor, as it is more expensive to install and effectively administer biometric solutions than it is to use passwords. Biometrics are thus beyond the reach of most SMBs, says Multz.
Then there is the “creepy” factor—the cultural resistance to sharing such personal information as our fingerprints or retinas. However, Boysen suggests that, with the adoption of fingerprint identification on consumer products such as Apple and Samsung’s latest smartphones, this could become less of an issue.
Boysen also points out that unlike passwords, biometric solutions are not universal.
“Fingerprints work on a large segment of the population, but there are certain age populations and certain environments and certain cultures where the amount of oil produced in the finger is insufficient to work as a biometric authentication system,” he explains.
Meanwhile, Multz notes that, while biometrics are more effective than using a mere password for authentication, another drawback of using techniques such as fingerprinting is that, “If someone does steal your fingerprint, then this form of authentication cannot be changed, whereas if someone does get your secret question and answer [to obtain your password], then you can certainly change this.”
Businesses considering using biometric methods of authentication should thus conduct careful research before doing so.
Passwords are far from perfect, but for the moment, both businesses and consumers are stuck with them. That being the case, it is important to use them wisely and thoughtfully. Simple passwords and dictionary passwords can be cracked easily by hackers, and it is through the loss of user credentials that some of last year’s biggest data compromises—from Target to eBay—occurred.
Thus, while the methods and tools that currently exist to improve password security, especially multi-factor authentication, are not yet entirely convenient, companies would be well advised to implement them when possible.
As Multz says, “[Multi-factor authentication] is truly needed going forward to safely do business on the Internet.”
In the meantime, users can eagerly anticipate the invention of a rock-solid alternative, which will hopefully put an end to password agony.
To find the data in this report, we conducted an online survey of 192 employees of U.S. businesses who used computers in their daily work. We asked six questions, and collected 192 responses per question. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.