In honor of World Password Day on May 2, OneLogin released a new report on corporate password practices.
OneLogin surveyed 300 U.S.-based IT professionals to “understand how they’re protecting passwords and how well they believe their companies are doing.”
Luckily, most companies have implemented guidelines and best practices for passwords. The report also noted that the guidelines and best practices generally comply with older National Institute of Standards and Technology (NIST) guidance for complex passwords. Meaning, using a minimum length for passwords, a mix of upper and lowercase characters, numbers, and special characters. Additionally, the report found that 92 percent of IT professionals believe their password protection methods are “adequate.”
However, things aren’t completely positive. While companies are complying with older NIST guidance, they aren’t yet meeting the newest NIST requirements, nor are they implementing some of the most important pieces of guidance. Specifically, the report noted that companies haven’t implemented key password tools such as checking passwords against common password lists and rainbow tables, or using complexity algorithms to ensure password security.
NIST recently updated its guidelines to call for “easy to remember but hard to guess passwords,” as well as eliminated the requirement for special characters and recommended “not requiring too-frequent password rotation.” OneLogin explained that the rationale behind the change is that if you require incredibly complex passwords and require frequent changes, users just can’t remember their own passwords. “This results in users either re-using the same complex password everywhere or writing down or otherwise noting their passwords in insecure locations (Post-It notes, messages to themselves, spreadsheets),” OneLogin explained. “Either of these reduces password security and negates the whole point of complex passwords.”
A third of U.S. companies aren’t paying attention to this new guidance and are still requiring password changes either monthly or more frequently. The problem is compounded by the fact that users have to remember multiple passwords, with programs frequently requiring separate credentials. The study noted that 36.7 percent of companies have 26 to 100 apps that require individual passwords. As a result of having to remember so many passwords, employees are frequently calling IT to help reset their passwords – pulling the IT department away from other more important tasks. In fact, IT spends an average of 2.5 months a year on password resets alone.
However, there is a way to remove this burden from IT, but companies aren’t implementing it. The majority of companies haven’t enabled self-service password resets, eliminated passwords with a single sign-on (SSO), or secured access via multi-factor authentication (MFA) – despite the fact that NIST calls for these tools in its latest guidance. Only 42 percent of companies are using SSO and 42 percent require MFA.