A recent survey of IT, security, and cybersecurity leaders found 46% store passwords in shared documents and spreadsheets, and 8% physically record passwords in notebooks or sticky notes, despite the security risks associated with doing so.
The survey was conducted on 100 IT, security, and cybersecurity leaders by Pulse and Hitachi ID to explore their password management practices and the effect they have on security. According to Hiitachi ID, each employee may have between 70 and 100 secrets and passwords that could potentially be compromised. If a threat actor was able to gain access to that data, the information could be used for an extensive compromise such as an organization-wide ransomware attack.
Poor password management practices such as recording passwords and other secrets in shared documents were common despite 94% of IT leaders saying password management training is provided to the workforce. 63% of respondents said the training is provided more than once a year, with 39% of respondents providing password management training quarterly and 9% providing it monthly.
The survey confirmed that providing password management training to the workforce does not translate into good password security. Many employees will not adhere to the best practices they are taught in password management training, and this is because password management is often cumbersome and gets in the way of employees working efficiently. The solution for businesses is to provide employees with a password manager.
Password managers feature secure password generators that can generate long, complex passwords for every user account. They also autofill those passwords when they are needed, so users don’t have to remember them or type them, which improves productivity. This also serves as an additional layer of protection against phishing attacks, as the password manager will not autofill a password if a user lands on a website that is not associated with that password. All passwords are encrypted securely in a password vault, and only one password must be remembered – the password to access the password manager.
45% of respondents said password managers are used. 30% said a company password manager is provided and 15% said personal password managers are used. The latter can improve security but not without risk. If personal password managers are used, what happens when an employee leaves the company? Businesses should ensure that all passwords are reset immediately, but that is not always the case. Employees could continue to be able to access systems after they leave.
Respondents to the survey were asked about how confident they were that an employee could not take company passwords with them after they left the company and only 5% of respondents said they were extremely confident that this could not happen. Only 7% said they were extremely confident that they could transfer passwords and credentials, terminate access, and maintain business continuity if they needed to terminate an employee urgently. 29% said that in the last 12 months, they had experienced at least one incident where they temporarily lost access to product systems after an employee left the company.