Password authentication has become part of regular life for many individuals who use digital devices on a daily basis. Whether it be inputting a code to unlock their phone, or logging into their computers at the start of the day at work, passwords are quite literally the key to our personal and professional lives. With that in mind, how many individuals and organisations take their password security seriously enough? One password breach could have a significant impact on an organisation or individual. 
Yubico, a hardware authentication device company, recently released their 2019 State of Password and Authentication Security Behaviours Report. The research was conducted by the Ponemon Institute and surveyed almost 1,800 IT and IT security professionals in the United States, United Kingdom, Germany and France. The study is conducted annually to understand the current state of password management and authentication beliefs and behaviours.
One metric that the report studied was the perceptions that IT professionals have about managing passwords in the workplace. 66% of respondents believe that it is important to protect passwords that are used in the workplace and 63% believe the same for their personal devices. Despite this, 55% reported that it is difficult to manage their passwords. 56% reported that they would be happy if they could log into online accounts without a password, and 57% would like a method to protect their identity that doesn’t involve the use of passwords (i.e. biometrics, hardware key).
Privacy concerns have been reportedly increasing, with 63% of respondents saying that in the last two years they have become more concerned about the privacy and security of their personal data. The number one reason given for this was government surveillance at 59%, with the second being increased usage of mobile devices such as smartphones and tablets at 51%.
The report also endeavoured to bring poor password habits to light. 69% of respondents admitted to sharing passwords with colleagues. More than half (51%) of the respondents also admitted to reusing passwords across any of their business and/or personal accounts. 51% say they have experienced a phishing attack in their personal life while 44% have experienced a phishing attack at work. Phishing puts the organisation and/or individual at extreme risk of data theft and ransomware. Despite this alarming figure, 57% of respondents who have experienced a phishing attack have not changed their password habits. Of the 43% that did change their password habits, 47% now use stronger passwords, 43% change them more frequently and 41% have started using multi-factor authentication where possible.
The report found that on average respondents spend 12.6 minutes, or 10.9 hours per year entering and/or resetting passwords. Based on this and the average headcount of 15,000 people per organisation, the researchers estimate that password management and inputting is costing organisations an average of US$5.2 million per year.
If you’d like to read more into the details of each finding, you can download the PDF here (account required, report is free to download).
The report shows that password habits in the personal and professional lives of individuals has significant room for improvement. As malicious actors steer their efforts towards targeted attacks such as phishing, the authentication habits of an organisation’s employees must be addressed. Many organisations are suffering from ransomware and phishing attacks primary because of poor training and education. The losses that stem from the cumbersome task of password entering and resetting could be offset by investing in training and implementing password management applications. These password management applications aid IT administrators in ensuring that the passwords used within their organisation are strong, unique and securely stored. They also take away the hassle of entering in a password every time, as most password managers will automatically insert login credentials. Training also encourages the use of multi-factor authentication which drastically improves security and reduces the chance of malicious actors gaining access to accounts, even if the password is compromised via data breach. Yubico is a company that specialises in hardware multi-factor authentication (MFA) technologies where by using a physical hardware key, users do not have to use their phones for MFA.
If you or your organisation has experienced a password breach, or feel that password security in your organisation could be improved, Contact Us today to learn more about how our experienced consultants can help your organisation remain secure from today’s threats, and be sure to follow our LinkedIn page for the latest security updates.
Author: Jack Schofield, Agilient Consultant