Comment: UK Companies Lose 2.5 Months Per Year Dealing With Poor Password Management

It has been reported that businesses in the UK lose an average of two-and-a-half months per year in time spent dealing with poor password management, according to new research. As detailed in its report Password Practices 2019, OneLogin surveyed 600 global IT professionals to gauge how companies are protecting passwords in terms of tools, guidelines and practices. 

Justin Fox, Director of DevOps Engineering at NuData Security:

While password-based authentication is irrevocably broken for authentication of users – whether employees or otherwise – this is still concerning and shows that humans continue to be the biggest risk factor in secure systems. In this case, as a mitigation strategy companies can buy subscriptions to password manager apps and require their employees to use them through corporate policy. This is also beneficial to the employee’s personal security as many commercial password management applications provide mechanisms for a “password health” check or free personal accounts that can be interconnected for a frictionless experience for the employee. 

Establishing good security policy and raising awareness through newsletters and training is another avenue of defense. Organizations like NIST often publish policies (e.g. NIST 800-63B) that are a good starting point that you can use to establish a baseline and modify from there for your desired security standards. The more recent publications even consider that we’re all only human. If you combine these controls with controls like passive biometrics or trusted devices you can really focus on ensuring a positive employee experience.   

Common policies expect password no less than 10 characters with a number, capital letter and special symbol. Some companies have a system set up that automatically forces their employees to update a password every six months or any other time frame. Others take it further and do rounds of fake phishing emails to test their employee’s ability to spot them – preceded by an education session. Ultimately, if the company takes it seriously, they will build security requirements into their processes and policies so that it is not an ad-hock request every time and is part of the company culture.”