A study by Ofcom, the UK communication watchdog, revealed that more than half of internet users use the same password for most, if not all of their regular websites. Over a quarter use easy-to-remember passwords such as birthdays or peoples names, putting their accounts at added risk to be hacked.
The problem with reusing the same password is that if one site suffers a data leak and their password database is compromised, or if hackers guess an easy-to-guess password, then all the accounts that use that password will be compromised too.
The reason why people generally use the same password for multiple accounts, or choose an easy to remember password, is that it’s difficult to remember lots of different passwords for different websites, especially complicated ones. For most people, the fear of forgetting a password outweighs the real risk of getting hacked.
The number of accounts being accessed in an organisation is often underestimated – industry reports say that the average employee has 27 passwords, but a report by Lastpass showed a number nearly 7 times higher. Businesses are often not able to accurately assess how often employees are creating new accounts, outside of the apps sanctioned and provisioned by their IT departments.
This lack of visibility makes it difficult to enforce best practises. With no oversight over the cloud apps employees use for business, these become vulnerable entry points for attack, and there is no protection in place against exposure of sensitive corporate data.
The implementation of Single sign-on (SSO) protocols, which allow a user to login to all the accounts they use at work with a single password, generally focuses on integrating with the most used, higher-value apps in the organisation. Additional apps are once again left to be managed by employees, incurring the same risks.
Even multi-factor authentication will not solve all password security challenges, as it would need to be enabled for every single login in use across the organisation to adequately prevent passwords from being an easy target for attackers.
For passwords to be secure, they should ideally be as long and complex as possible, comprising at least 14 characters and a combination of letters, numbers and special characters. The least secure passwords are those that contain words relating to personal data of the user. Nicknames, birthdays, pets, song lyrics and quotations should all be avoided. Hackers use password cracking software that can try out 100 billion passwords per second.
The recommended solution is to use password management software such as Lastpass, which acts as a password vault to store all of a users passwords securely behind one master password.
Once Lastpass has been implemented, it systematically collects and organises all login credentials for all accounts, giving a much more accurate picture of the extent of passwords in circulation in the organisation.
Using a business password manager to ensure passwords are randomized and properly stored will help achieve best practise. Lastpass ensures proper oversight and accountability for shared credentials, and can be set to rotate passwords, apply role-based permissions, add multi-factor authentication and decommission employee credentials after they leave the organisation or change roles. This solution means that the increase in use of apps in the workplace is no longer a threat.