Bitwarden has published the findings of its 2023 Password Decisions Survey, which explores password practices and habits, strategies that have been adopted for managing passwords, how businesses are protecting against cyberattacks, and the methods adopted to reduce password risks. The survey was conducted on 800 IT decision-makers, 400 in the UK and 400 in the US.
How Passwords are Being Managed
A password manager is the most secure way of creating and storing passwords, and adoption is growing. 84% of respondents said they use password management software; however, many also admit to storing passwords in a document on their computer (54%), or relying on memory (45%), or writing them down (29%).
Passwords often need to be shared, but the methods used to share them are often not secure. 66% of respondents said they share them via their password manager, but 41% said they email them, 38% share an online document containing the password, 30% send them via a messaging app, 27% communicate them verbally, and 22% pass out paperwork containing passwords.
92% of Businesses Have Adopted 2-Factor Authentication
The Director of CISA recently said multifactor authentication was the single most important step that people can take to improve online security, and businesses seem to be getting the message. In 2021, 88% of respondents said they had adopted 2-factor authentication, and this year 92% said they used 2FA. When asked why adoption was not higher at work, 48% said it was because employees were not aware of the benefits, 47% said they people didn’t think it necessary as their passwords were strong enough, and 41% said the risk of getting hacked was low, with the same percentage saying it slows down workflow.
91% of Respondents More Concerned about Cybersecurity than Last Year
91% of respondents said they have become more concerned about cybersecurity in the past 12 months, with the biggest cause of concern – stated by 60% of respondents – the increase in remote working, with employees believed to be laxer about security when working from home. 43% of respondents said cyberattacks had increased from simple password breaches, and 35% said they are concerned about the high staff turnover – and what happens to passwords when people leave.
Bad Security Practices Persist
90% of respondents admitted to reusing passwords for multiple accounts despite the security risk. 19% said they reuse passwords on 1-5 sites, 36% said they have the same password for 5-10 sites, 24% use the same password on 10-15 sites, and 11% said they use the same password on more than 15 sites. If a breach occurs at any of those sites, all other accounts will be at risk. Even though the respondents were IT professionals, 32% admitted to using shadow IT personally, and 49% said shadow IT practices among employees were a problem.
High Demand for an Enterprise-Wide Password Manager
The surveyed IT decision-makers expressed a strong desire for an enterprise password manager, with 79% saying their employer should provide one. There is also demand from employees. One possible way to improve adoption among employees is for employees to offer their staff a complimentary family account for personal use. 79% of employees were in favor of this and said they would be very likely to use it.
Most Businesses Have Adopted or are Considering Passwordless Authentication
Around half of the respondents said they had adopted passwordless technology or were planning to, and 66% of those respondents have one or two user groups or teams using passwordless authentication. Only 13% of residents said they have fully adopted passwordless authentication across the entire organization. 51% of the respondents that had implemented passwordless authentication or were planning to say they would or are using biometric authentication, such as facial recognition, fingerprints, or voice prints. The main reasons why passwordless technology was not adopted were due to applications not being designed to work with passwordless authentication (49%), reluctance from employees to change (39%), limited budget (28%), and resistance from leadership (23%). FIDO2 was seen as a critical part of passwordless adoption by 47% of respondents.