Password security is a constant effort for organisations who wish to pursue and enforce a strong password security policy in the workplace. Typically, an organisation might train the staff on good password practices, then the organisation must trust that users are using those practices to the best of their ability.
LastPass is an online password manager that stores all your accounts and passwords securely, so that you only need to remember one strong master password. LastPass is available to organisations at a reasonable cost, and administrators at a glance can identify whose passwords are not secure.
On the 1st October, LastPass published a detailed report on password security in the workplace, where they compiled anonymous data from over 43,000 businesses who use LastPass, with the aim of helping IT professionals understand where their organisation ranks and how to improve, as well as motivating organisations who have not invested in password management.
The report highlights two different scores: The LastPass Security Score and the LastPass Password Strength Score. The LastPass Password Strength Score evaluates an average password strength score, and the LastPass Security Score evaluates duplicate, weak, old or vulnerable passwords as well as the use of multifactor authentication and other settings to draw a complete picture of the overall password security of a user or organisation. The scores are from 1 to 100, worst to best.
The report uses a number of statistics and data to find trends in password security scores. The report found that, on average, larger companies have a harder time with password security. Companies with 1 to 25 employees had an average score of 50, while companies with 500+ employees saw an average of 46. The report also does not excuse the size of a company for its poor password security, by also showing the top scores from companies of each size. The top security score from a company with 1 to 25 employees was a perfect score of 100, and the top score from a company with over 10,000 employees was 88 – an exceptional score for such a large company. This shows that even a very large company can achieve fantastic password security.
Industries were also analysed in the report, with IT companies achieving the highest average of 53, while insurance was the lowest at 47. Industries such as health, finance and government also average quite low, a concerning finding considering the heavy regulations in these industries. Again, the report also shows the top scores from each industry, with government and education at the bottom with 86, and banking/finance and IT at the top with a score of 97. It’s promising to see that businesses from all industries are achieving fantastic scores, ultimately making good use of their investment in a password management platform.
One of the more concerning findings from the report however is the average security score by country. Germany achieved the highest score of 56, with many other European countries following close behind. This is likely due to standards and legislation in the EU such as the General Data Protection Regulation (GDPR). However, Australia is ranked the lowest in this list with a score of 49. The global average score is 52, showing that Australia is below average – a rather worrying statistic. Despite this, the top security score from an Australian company is 98, which nears the top of the ranks, just behind Canada with a score of 99 and the US with a score of 100.
The second part of the report discusses password strength scores, with a lot of the data following the same trends as the security score statistics. Many more companies and industries achieve perfect scores of 100 for password strength, however industries such as health, banking and insurance still score lower on average, with scores of 51, 52 and 53 respectively and IT ranking the highest at 57.
Australia still averages the lowest for password strength with a score of 53 – another worrying statistic. Germany still ranks the highest at 62 with other European countries also averaging on the higher end. We can see that Australia has some catching up to do with the rest of the world.
The report also shows an interesting statistic: how quickly password security improves after investing in password management. The average security score of companies who have invested in password management in the last 3 months is 26, but in the next year jumps 15 points to 41. This indicates clear progress and improvement from the state of password security without password management in place. This is perhaps the most motivating statistic.
The third main section of the report breaks down the use of multifactor authentication (MFA). Of the total amount of companies using MFA, over 40% are companies with 1 to 25 employees. Also, over 30% are companies from the IT industry. Surprisingly, heavily-regulated industries such as health, insurance and government make up a significantly smaller percentage. 63% of companies using MFA are from the United States, which is surprising given that the US ranks lower for both security score and password strength. Germany accounts for less than 3% of companies using MFA, even though they rank higher in scores on average.
We can say conclusively that password management significantly increases password security in organisations. LastPass is just one password management platform available for organisations. Password security should be taken seriously, as weak passwords can be broken very easily. If that password is used elsewhere, it can significantly worsen breaches. Australian organisations have some improving to do if we want to stay ahead of ever-evolving password attacks.