ThreatList: Password Hygiene Remains Lackluster in Global Businesses

When it comes to password behaviors in the workplace, the average business is doing just an okay job, scoring a middling score in a credentials-security benchmarking analysis of organizations’ habits. Notably, the data also shows that password-sharing is still prevalent in the workplace – although 45 percent of businesses do now use multifactor authentication.

In a report published by LastPass on Monday, a security benchmark score was calculated for each organization that was analyzed. This was done by evaluating the number of duplicate passwords; the number of sites logged into that are marked “vulnerable” due to publicly disclosed data breaches; the number of weak passwords; the average strength of each password; the strength of shared passwords; and the use of multifactor authentication.

On a scale of 0 to 100, with 100 representing exceptional password hygiene, the average score across more than 43,000 organizations that use LastPass as their business password manager was 52.

Smaller companies have higher scores; organizations with 25 or fewer employees have the highest average security score of 50. For those with 500 or more, the score holds steady at 46.

“More employees bring more passwords and unsanctioned apps, as well as extra opportunities for dangerous password behaviors,” the report noted. “We can infer that the larger the organization, the more difficult it is to address challenges like budgets, competing priorities, bureaucratic red tape or scaling training initiatives. Smaller companies, despite fewer resources, seem to achieve better results.”

The security posture around passwords varies by industry, too.

The highest average security scores were found in the technology sector, where there are stricter privacy and data laws than in other vertical markets. Not-for-profits have an average score of 50, while on the other end of the spectrum, retail (48) and insurance (47) lag behind.

“Heavily-regulated industries like banking, health, insurance and government are not achieving comparable (or even superior) average security scores [to technology],” according to the report. “And given that those industries – in particular health – are more frequently targeted by attackers, we would expect to see higher commitments to password security.”

When it comes to average security scores for countries, Germany ranks highest at 56, followed closely by the Netherlands at 55. The U.S. falls well below the global average and a full seven points behind the leader, at 59.

“With a reputation for security and the adoption of standards like the General Data Protection Regulation (GDPR), it’s understandable why they lead the pack,” LastPass noted.

On average, the report data shows that any given employee now shares six passwords with coworkers. And, 50 percent of users don’t create different passwords for work and personal accounts.

This is up from last year, when, on average, an employee was found to share four passwords.

“Password-sharing remains frustrating for employees and IT admins alike,” the report pointed out. “Employees resort to weak-but-memorable passwords and insecure sharing methods so they can simply get their work done. IT, however, knows these passwords are a potential backdoor into the business.”

This is a risk that’s exacerbated by a continued blending of work and home life; employees own the passwords for various corporate services – regardless of where they log in, and even after they leave a company.

Multifactor Authentication

Multifactor authentication is gaining in popularity, with close to half (45 percent) of businesses using it – importantly, this is almost double last year’s 24.5 percent.

Once again, small companies are ahead of the pack; of companies that have turned on MFA, 41 percent have 25 or fewer employees, the analysis found. Usage plummets in larger enterprises, clocking in at just 3 percent for companies with more than 10,000 employees.

Adoption varies by industry, too. For companies that have turned MFA on, 31 percent are in technology. Healthcare companies are the worst off, despite that sector’s heavy regulations: Just 3 percent have implemented it.

In terms of geography, MFA is one of the few places the U.S. is out ahead — 63 percent of the organizations in the report with MFA are American.

“Given [that the U.S.] ranks lower for both the security score and Password Strength Score, we’re surprised to see usage so high,” LastPass said. “On the other hand, Germany, which leads both scores on average, accounts for less than 3 percent of the companies that have multifactor authentication enabled.”