Essential Guide

How to prepare for the emerging threats to your systems and data

A comprehensive collection of articles, videos and more, hand-picked by our editors
News Stay informed about the latest enterprise technology news and product updates.

Password reuse and password sharing prevalent in enterprises

The high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches, according to a recent survey from SailPoint Technologies.

Most companies are just waking up to the realization that just telling people that they can't reuse passwords isn't going to really do the trick.
Joe SiegristCEO and co-founder of LastPass

Employees are significantly increasing the risk of enterprise security breaches with reckless password activity...

-- and the proper password governance to stop it is lacking, according to a recent survey from identity governance company SailPoint Technologies.

Vanson Bourne, a U.K.-based technology research firm, interviewed 1,000 office workers in midsize to large organizations (more than 3,000 employees) about their management of passwords, and found that 56% of employees were reusing the same passwords between personal and corporate accounts while relying on an average of just three different passwords. In addition, the survey said 20% were sharing passwords with team members -- allowing information to be easily compromised if no password management policy is enforced.

"As the number of passwords in our lives has proliferated, people have adopted various ways to help themselves," said Kevin Cunningham, president and founder of SailPoint, based in Austin, Texas. "One of the common ways is to start to use the same passwords across multiple different accounts. If you couple that with the fact that people have a cavalier attitude towards protecting them … therein lays the real risk."

Furthermore, the study found that 14% of employees would resell their enterprise passwords to a third party -- sometimes for as little as $150 -- whether as an act of retribution against their employers or simply for monetary gains. According to Cunningham, some employees might believe they could sell a password to a cybercriminal and quickly change it before a breach occurred -- without realizing the extent to which this password pervaded their other accounts.

Joe Siegrist, CEO and co-founder of password management firm LastPass in Washington, D.C., found that password reuse was a growing problem -- more so than deliberate insider threats. Companies don't pay attention to their employees' password usage until it is too late, he said.

"Most companies are just waking up to the realization that just telling people that they can't reuse passwords isn't going to really do the trick," Siegrist said. "People don't feel they are going to get caught reusing their passwords until the corporate network is getting raided by somebody that is reusing a password that you used on some social network or some other site that got compromised."

But it's not only their employees that enterprises need to watch out for.

"Nowadays, with the interactions that happen between businesses, a lot of times businesses have access to applications inside a company as well," Cunningham said. "It's employees, it's business partners, and sometimes it's even customers."

Luckily, companies have begun to act on these incentives in recent years, Siegrist said, as enterprises are starting to employ some basic defenses against future attacks and breaches, as well as ways to deal with password leaks.

"Most companies do set up the ability to enforce some form of secondary factor on users," Siegrist said. "That kind of raises the bar -- the password alone is not the only thing that gets access to the data."

Password management is a multistep process that takes a few years for companies to embrace, according to Cunningham. There are certain necessary steps to securing a company and several aspects to that end.

"It's a matter of education for the employees -- to educate them on the hazards and risks," Cunningham said. "There's a policy aspect of it: If you're accessing our financial application, 'thou shalt not use that password for anything else in your life.' And then there are tools you can use to help automate that process for the employees, such as a Password Bolt. Maybe they don't know what the password is, but they can log into the Password Bolt and the passwords are generated for them."

SailPoint's survey also showed that 20% of respondents said they have already been affected by high-profile data breaches. Cunningham said he expects that number to grow moving forward. With more and more breaches in recent years, he said it's time for companies to step up their password management and enact basic security policies or risk suffering a preventable breach.

"Nobody wants to be the next headline about being breached and having lost customer information or intellectual property or financial information," Cunningham said. "But also governments around the world have stepped in and are mandating that companies do a better job of this. … There's nothing that gets attention faster than an audit fail."

Next Steps

Find out how weak mobile authentication practices are leading to big e-commerce fraud losses for enterprises

Need help creating strong passwords that are easy to remember?

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

How to prepare for the emerging threats to your systems and data

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization have a password management policy for employees?
Cancel
All employees within my business must go through a password management training seminar run by our IT techs. A two-tiered form of authentication is needed for all users to ensure proper safety protocols are maintained. In addition we have moved away from passwords and codes to pass phrases, a much more secure form of authentication for password management. The pass phrase change is by far the biggest new policy for security and safety.
Cancel
Yes, use a secure password that matches what the system asks for. Change it if there's any inkling that systems have been breached. That's it. Common sense and security - what a concept.
Cancel
With caveats, though. ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.

By the way, some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Something belonging to the password(PIN, passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). 

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer sustain the demand and we urgently need a successor to it, which should be found from among the broader family of the passwords and the likes.
Cancel
With password reuse and sharing, dismissed employees can still manage to access critical enterprise information. Hence, I think enterprises should strongly enforce password management policies.
Cancel
Humans are the weak link in keeping systems secure. We want (or need) to reuse passwords or else risk forgetting our new passwords and being locked out. If I have to call IT every morning to sign into my computer, is that better than reusing a password? Someone MUST have a middle ground that allows for convenience AND security.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close