Users’ password problems are even worse for security than you think

End-users are juggling far more passwords than prior studies have estimated, according to a new analysis by LastPass that suggests the average employee is tracking 191 different passwords.

That figure – derived from a new, anonymised study of more than 30,000 companies using LogMeIn’s LastPass password manager – is well ahead of the 27 passwords-per-user figure from a widely cited McAfee survey from 2016. It dials up the pressure on IT managers to address the vulnerabilities that every company potentially faces when even one employee password is breached.

The Verizon Data Breach Investigations Report 2017 concluded that 81 percent of breaches are facilitated by exploiting compromised passwords. Extrapolating from the LastPass figures suggests that the average 250-person company has 47,750 different passwords – which presents a massive potential vulnerability if even one of those passwords is leaked.

LastPass’s analysis found that 61 percent of users use the same password, or a similar password, on all of the sites and services for which they are registered. Yet password reuse – a defence mechanism by employees that struggle to remember so many different passwords at once – opens up corporate networks to compromise if a leaked credential can be tied to its owner, whose place of work may not be difficult to figure out. Such practices were a contributor to the more than 4 billion records that were leaked during 2016 alone, according to an analysis by IBM.

The figures also revealed that the average employee types in their credentials 154 times per month – reflecting the ongoing burden that passwords represent. Many reflected crossover between consumer and business services, with the analysis suggesting that half of the top 36 domains used in the workplace, were actually popular consumer services.

This crossover presents particular challenges for IT administrators, who have long struggled to bring ‘shadow IT’ services under control and admit to generally being unable to see what users of shadow-IT services are doing. In one recent Bitglass-Cloud Security Alliance survey, just 28 percent of systems administrators said they had visibility of user logins.

This duality would continue to be an issue for security administrators because users invariably prefer convenience over inconvenience, VMware director of solutions product marketing Christopher Campbell warned the audience at the VMware Evolve event earlier this year.

“There’s an ever-expanding footprint that you have to secure,” Campbell said, “and anyone with a finger is a threat. So how do you architect to that, so you can insert security everywhere and leverage the technology you have to actually help you?”

Longer-term solutions would need to be adaptive, conditional, and capable of learning user behaviour, Campbell added while pushing for a broader concept of identity that complements or replaces passwords with identity-based authentication.

Security pundits have been beating the drum about better authentication that addresses the weaknesses with password management. Some like multi-factor authentication (MFA) that incorporates artificial intelligence to make decisions about a login’s integrity, while others talk about continuous-authentication regimes that monitor user activities throughout the user session.

In the short term, however, none of these alternatives are likely to do away with passwords and the security challenges they bring. Just 26.5 percent of LastPass-using companies have adopted MFA, while support for SAML, which enables single sign-on across a range of services, is still far from ubiquitous. And shadow-IT usage continues to grow as employees continue to add services as the urge takes them.

Even as they explore alternatives, Australian businesses face heightened security obligations under the looming Notifiable Data Breaches (NDB) scheme and poor password hygiene won’t be looked on favourably in post-breach analysis.

To this end, businesses should be re-evaluating their password-management policies using guidance such as that provided by the Office of the Australian Information Commissioner (OAIC), which recommends “minimum standards for security of end-user mobile devices” including encryption and password protection, as well as use of MFA “in circumstances that may pose a higher security risk”.

The OAIC document lays down a number of best-practices around password management, including minimum-length requirements, secure storage of passwords, prohibitions on reuse or sharing of passwords, and randomly selected passwords.

Ultimately, practicality will force many companies to adopt alternative tools for managing large numbers of passwords; LastPass, 1Password, and similar password managers all seek to fill this gap by offering many of the capabilities the OAIC recommends.

“Either IT teams need to pick up the burden of configuring and deploying these services or, more likely, employees are left to manage those credentials on their own,” the report warns. “By sacrificing that control and visibility, IT is again leaving those entry points vulnerable to poor password hygiene and employee misuse.”