OneLogin’s survey of 300 IT professionals in the US and 300 in the UK shows that companies believe their password protection measures are adequate when, in fact, they are anything but. Over 90 percent of both demographics believe their password protections are sufficient.
Businesses in the two countries are employing outdated practices and, in some cases, lack best practices altogether. For example, businesses in both the US and the UK are not embracing current guidelines that call for checking passwords against lists of common passwords or against rainbow tables (a precomputed table for reversing cryptographic hash functions, allowing one to revert / convert passwords from hash to plain text). Some companies even lack the tools to validate that users have created a complex password, which must contain both upper- and lowercase letters, numbers, and special characters.
Companies force employees to change their passwords frequently. At first glance the practice seems sound, but in reality it pushes staff to recycle passwords across apps and services, or worse, jot them down on a sticky note.
“A key factor in the password battle is the sheer number of passwords people have to remember,” according to the report. “More passwords per user means more opportunities for hackers and more difficulty for users. If people have to remember and enter a password for applications they use, it reduces productivity. And it makes them more likely to resort to insecure practices such as password reuse.”
According to the research, US companies have a mean of over 67 apps requiring separate credentials, with the UK having a slightly lower mean of 58 apps.
Managing passwords for this many platforms is time consuming and translates into financial loss, the study found. IT departments are said to spend 2.5 months per year on password resets. Citing a Forrester study, OneLogin researchers note that the average labor cost of a password reset is $70 or £50. ‘Single sign-on’ is one solution to the problem, but businesses in both countries are also lax in other best practices, like multi-factor authentication.
Deprovisioning is yet another problem as IT reps must manually kill accounts that are no longer valid. Almost half of businesses both in the US and the UK take up to a month to deprovision ex-employees, which gives bad actors a wide window to attack.
*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Filip Truta. Read the original post at: http://feedproxy.google.com/~r/BusinessInsightsInVirtualizationAndCloudSecurity/~3/QcVpxZCCcac/poor-password-hygiene-leaving-us-and-uk-businesses-vulnerable-to-attack