Australians have some of the worst password-management practices in the world, one security firm has warned as security experts once again commemorate World Password Day with pleas for users to get smarter about the way they protect their precious data.
Half of the 43,000 businesses and individuals surveyed for the recent LastPass by LogMeIn 2018 Global Password Security Report said they were using the same passwords for personal and work accounts, with 62 percent saying they reuse passwords across different sites.
Australian users’ average password security score – a metric derived from real-world passwords used within the LastPass single sign-on platform – was 53, tied for world’s worst with Denmark, New Zealand and the US but well behind leaders Germany (62), the Netherlands (60), and Italy, Sweden and Switzerland (59).
Companies of 1 to 25 employees had the strongest passwords, overall, than larger firms and strength declined consistently with increasing size.
Retail companies had the worst passwords overall, with an average score of 49, while health, insurance, banking/financial and manufacturing were only a little better.
Just 6 percent of surveyed Australian companies were using multi-factor authentication – well ahead of many countries but lagging the US (63 percent) and UK (10 percent).
Even the best figures were well behind ideal levels, confirming yet again that most businesses are protecting critical data with less-than-ideal password security – something that has consistently emerged in one study of password behaviour after another.
Changing user behaviour
Educating users on password security is crucial and users need to get accustomed to using passwords or passcodes on every device they use “even when they don’t think security is necessary,” argued ESET senior research fellow Nick FitzGerald, who also recommended users deactivate unused accounts, save the strongest passwords for the most important accounts, using passphrases and strong passwords; and using a password manager to improve user compliance.
“Users never know when a threat might affect them, or when their data might be at risk, so it’s critical they protect their information behind a strong password in the first place.”
Billions of passwords have been leaked online in recent years, but experts were aghast at the discovery in March that hundreds of millions of Facebook passwords were available in a non-encrypted format – providing a motherlode for credential-stuffing cybercriminals.
“Although no evidence has arisen to show that password data has been abused, the fact that this incident occurred to a company even with security systems and processes highlights it’s an ongoing threat,” Mimecast principal technical consultant Garrett O’Hara said in a statement, “especially for organisations with immature security practices. Users must be reminded not to use the same password for different applications, especially across personal and work accounts.”
A growing climate of insider breaches and the challenges of enforcing effective password policy are leading many CISOs to revisit their password policies in a search for a user-friendly approach that also preserves security.
“We have made passwords more complex with a requirement that they be updated regularly so that they cannot be easily guessed by bad actors,” One Identity APJ regional manager for technology and strategy Serkan Cetin said in a statement.
“Unfortunately, one of their biggest drawbacks of this is that people very often forget their passwords. The forgetting and resetting of dozens of passwords is a broken cycle that we should strive to end. We’ve reached a breaking point, and the power of the password is rapidly diminishing.”
Others are considering options for a passwordless future – an increasingly viable approach that is being enabled by increasingly portable standards for passwordless authentication and efforts from the likes of Google.
Yet passwords will remain a necessary evil in most environments – and for companies that aren’t managing them properly, CyberArk technical director David Higgins warned, they remain the “soft underbelly of the organisation.”
“Admin passwords are a key target for attackers and, due to operational challenges, are rarely managed to the level that they should be,” he said. “Basic level passwords that allow entry into the IT world will remain, in at least the near future, a true break glass issue.”