Users are still terrible with passwords, but popularity of security apps suggests they want to get better

Companies introducing additional authentication factors as use of ‘123456’ persists and credential breaches continue

End users have terrible password-management practices but the popularity of security apps suggests their companies are at least trying to change their habits, according to a new survey of application usage.

Almost 40 percent of 1200 knowledge workers participating in a Qualtrics survey, conducted as part of Okta’s Businesses@Work 2019 report said they use the same 2 to 4 passwords “for almost everything”, the firm noted. And fully 10 percent use just one password for all of their online accounts.

That is a less than ideal situation given the potential for reuse of increasingly powerful passwords in credential-stuffing attacks that facilitate cybercriminals’ access to sensitive business environments of all types. Cybercriminals barely have to try anymore, with the recent Collections leak putting 2.2b credential pairs into the public domain for anyone to use.

The problem has gotten so common that Google this month launched a Chrome extension that automatically checks user IDs and passwords against massive databases of compromised credentials.

The Okta figures support a recent analysis of 5m leaked passwords by SplashData, which estimates that nearly 10 percent of people have used at least one of the 25 worst passwords on its Top 100 Worst Passwords of 2018 list.

Worst-password stalwarts ‘123456’ and ‘password’ continued to top the list, with new top-25 entrants including ‘111111’, ‘sunshine’, ‘princess’, ‘666666’, ‘654321’, ‘!@#$%^&*’, ‘charlie’, ‘password1’, and ‘donald’.

“It’s a real head-scratcher that with all the risks known, and with so many highly publicized hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year,” SplashData CEO Morgain Slain said.

The push towards multi-factor

Employees’ bad passwords may be one problem, but the way they’re stored isn’t much better: 17 percent of those in the Okta survey said they write passwords on a piece of paper, 15 percent store them in a desktop file, 10 percent store them in their phone’s note-taking app, and 9 percent write them on sticky notes.

Yet Okta’s analysis suggests that many organisations are, to their credit, at least trying to get better at managing their passwords: fully 13 percent of respondents said the thing they want most from their app experience is strong cybersecurity protection.

The fastest-growing apps within the company’s Okta Integration Network – which enables single sign-on through more than 5500 cloud, mobile and Web apps, and IT infrastructure providers – are security applications.

Use of KnowBe4 grew 178 percent year-on-year (YoY), while LastPass usage increased by 132 percent, and Proofpoint by 122 percent. And among companies with European headquarters, the fastest-growing applications were Mimecast (63 percent YoY growth) and Sophos (42 percent).

Multi-factor authentication has emerged as an increasingly popular solution for businesses: fully 70 percent of companies are now using two to four factors for authentication, the firm reported, with 29 percent of companies using four or more factors.

Two-thirds of those that started using Okta’s tools since 2016 did so using few factors, then over time added additional tools such as Okta Verify, Google Authenticator, YubiKey and Duo. At the same time, usage of SMS for two-factor authentication has progressively dropped off.

Stronger authentication practices suggest recognition of the need to move away from static credentials – and it comes none too soon, with the recent Proofpoint Q4 2018 Quarterly Threat Report noting that email-based distribution of credential stealers or downloaders increased by over 230 percent from the end of 2017 to the end of 2018.