In 2019 users still write down passwords, weak IAM practices generate enterprise security risk
In the past three months, 78 percent of people reset passwords because they forgot them, despite 35 percent writing them down in sticky notes, notebooks or Excel files, found a two-year and a half study into human behaviour and password management conducted by HYPR.
The research was developed by Yan Grinshtein, Head of User Experience at HYPR, and investigated two situations: the first part is about understanding password management at work, and the second password management in personal life for activities like social, shopping and finance.
Some of top discoveries include a major difference in how people treat work and personal passwords. As many as 72 percent reuse passwords in personal life, while only 49 percent simply change or add a digit or character to their password when updating their company password every 90 days. One of the reasons users are having such a hard time with passwords is because they are too many. The report says 37 percent of respondents have over 20 passwords in their personal life 19 percent of respondents have over 10 passwords in their work life.
“As a society, we’re so accustomed to using passwords and shared secrets that we tend to overlook just how important user experience is,” said George Avetisov, CEO and co-founder of HYPR. “As the world evolves beyond passwords, we believe that true passwordless security delivered through the enterprise will rapidly eliminate the need for users to reuse, manage, reset or even think about passwords.”
Based on data collected from 500 full-time workers in the U.S. and Canada, the study concludes that people are not using password management solutions because they either do not know about them, do not know how to use them, or they simply do not trust them with their information, so most would rather rely on their memory skills or, worse, keep a digital paper trail of passwords in whatever Word doc or spreadsheet they have available.
The proliferation of accounts and credentials seems to be challenging organizations as much as individuals.
A recent trend survey titled “The State of Identity: How Security Teams Are Addressing Risk,” sponsored by Identity Defined Security Alliance (IDSA) found Identity and Access Management is stalled by organizational approach. All IT security stakeholders in the survey reported a lack of strong IAM practices generates enterprise security risk.
“With the majority of today’s breaches tied to compromised credentials and the number of credentials skyrocketing, IAM is a critical and complex issue that spans many organizational teams, requiring a strategy around people, processes and technology,” said Julie Smith, executive director of the IDSA. “The findings highlight that addressing identity security through integrated technologies is only one piece of the puzzle. Without collaboration amongst all stakeholders and a clear understanding of responsibilities and handoff points, identity incurs greater risk.”
In the past ten years, more than 50 percent of respondents registered explosive five-fold growth in workforce identity driven primarily by mobile (76 percent), connected employees (66 percent), enterprise connected devices (60 percent) and cloud technology (59 percent).
Security teams are concerned about identity-related security incidents such as phishing (83 percent), social engineering (70 percent), and compromised privileged identities (64 percent).
Identity management is now more in the limelight than it was a few years ago, but only 24 percent believe their security team has “excellent” awareness of IAM. One of the main roadblocks in investing in workforce IAM is budget ownership (40 percent).
“As businesses embrace new technologies and expand their workforce, the reality of managing identities is seemingly growing more complex by the day. Awareness of the impact IAM has on security posture has grown as well, as an increasing number of data breaches are tied to stolen identities,” said James Carder, CISO and vice president of LogRhythm Labs. “However, as the data shows, IAM efforts face several organizational challenges as companies grapple with who should take the lead. With the number of identities growing, organizations of all sizes should examine how identity management fits into their security strategy, and eliminate any silos between teams that increase risk or slow the pace of the digital transformation of the business.”
This post was updated at 7:59pm Eastern time on December 10, 2019 to correct the attribution of the final quote.