Half of IT leaders say passwords too weak for security purposes
Most IT leaders are worried about passwords being stolen at their organization, according to a survey from Ping Identity.
Passwords have long been a poor way to protect sensitive accounts and data. Faced with the challenge of adopting a unique and complex password for each account, many people instead turn to simple and vulnerable passwords, putting themselves and their organizations at risk. A report released Tuesday by Ping Identity and Yuibco looks at the repercussions of weak passwords.
To create its report titled Our passwordless future: A New Era of Security, Ping and Yubico commissioned Wakefield Research to survey 600 IT leaders and decision makers in April 2022. The survey elicited responses from employees defined as senior IT staff with a director level position or higher across the U.S., the U.K., Australia, France and Germany.
Among the respondents, 94% said they have serious concerns about user-generated passwords, with half of them believing that passwords are too weak for security purposes. Some 91% said they’re very or somewhat worried about passwords being stolen at their organization. Further, half of those surveyed see the lack of security strength in a password as a huge concern, admitting that many employees who must change an existing password make minimal modifications or simply reuse an old one.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Though many employees use password management software, a large number turn to riskier methods, such as storing passwords on their mobile devices or writing them down on notepads at their desks. The problem has intensified with the shift to remote and hybrid work as the majority of IT leaders are less than confident that their employees maintain proper password hygiene.
Passwords increasingly represent an obstacle for the users who must juggle them. Based on the survey responses, many employees have to enter passwords 12 times a day, while some must do so 20 times each day. And some of these password attempts naturally fail. In just one month, employees were locked out of accounts or devices 78 times on average.
Due to the challenges faced by users, password-related issues chew up a lot of time and resources for IT and help desk staffers. A third of the support tickets fielded by the IT department are related to passwords, according to those surveyed. For some organizations, more than half of their support tickets are password related. Support incidents involving passwords have risen on average by 30%, leading many of the IT leaders to cite help desk costs as a concern in this area.
Given the trouble and anxiety over passwords, passwordless authentication seems like a reasonable alternative. Though virtually none of the respondents have so far adopted passwordless technology, 65% said they would be likely to implement it. Asked which form of passwordless authentication they would choose, 67% cited biometrics, 48% a PIN and 38% a physical security key.
However, the road to passwordless authentication is far from smooth. Among respondents, the top obstacle on this road is a lack of urgency among IT and business leaders. Others pointed to the technical limitations of the applications used by employees. Some admitted that they would be unsure how to implement it, and several said that their organization would be resistant to adopting it.
To help organizations interested in passwordless authentication methods, Zain Malik, senior product marketing manager for Ping Identity, offers several tips.
How to implement passwordless authentication
Begin with other centralized authentications
Have single sign-on and multi-factor authentication already in place, as these are typically the precursors to passwordless authentication. Moving to a passwordless technology is much easier if you already have centralized SSO and MFA.
Then identify the main use cases. This means asking several key questions: Which apps are easiest to start with? Which devices are used to log in? What are the limitations and opportunities from a security point of view? How would account recovery work?
Align your organizational mindset
Passwordless authentication requires a strong alliance between the IT/security group and the business area. Make sure the passwordless system has buy-in from upper management. Remember that passwords are an accepted inconvenience and a hurdle that organizations must overcome.
Commit your developers
The user interface is key. Your passwordless system must offer a smooth and quick authentication method. Make sure your developers are committed to adopting the passwordless technology in new apps and services.
Rollout to users
Start with a small and select number of users and apps and expand from there.
Your passwordless authentication will not deliver 100% security, but will require more advanced hacking techniques to crack. Don’t let that factor distract you from your passwordless vision.