The password manager provider LastPass has recently published the findings of an IDC Global Survey on Identity and Access Management that has revealed many businesses are struggling to strike a balance between security and the user experience.
Passwordless authentication is gaining traction, but passwords remain the primary way of preventing unauthorized account access. Password guidelines require passwords to be set that are of sufficient complexity to make them resistant to brute force attacks, which means they need to be relatively long – more than 10 characters – and contain a combination of upper- and lower-case letters, numbers, and symbols. Ideally, passwords should be random strings of characters and, to be resilient to password spraying attacks, a unique password must be used for each personal and business account. Therein lies a problem. It is hard enough to think of one strong password and remember it, let alone the 50-120 that every individual needs to set and remember. It is inevitable that shortcuts will be taken by employees, which is what the IDC survey suggests.
83% of organizations represented in the survey said they had suffered a data breach in the past 12 months that they believed was the result of a compromised password or stolen identity. Passwords can be compromised in many ways – phishing attacks for instance – but many password compromises are the result of brute force attacks to guess weak passwords. Password policies may require passwords to meet complexity requirements, but that does not mean complex passwords are being set, nor that unique passwords are being used. Many employees are guilty of reusing passwords for business and personal accounts and are setting weak passwords that match complexity requirements. Passw0rd1! meets complexity passwords but is incredibly weak and could be guessed in a brute force attack almost instantly.
The problem with access management has been exacerbated by the move to remote working due to the pandemic. Businesses now need to support much larger numbers of remote workers, each of whom is required to access multiple business systems remotely. The policies and protocols that were once sufficient for identity management in office settings are no longer working with a largely remote or hybrid workforce. 98% of respondents said remote working had had a negative impact on security. This was attributed to a combination of the lack of security on home networks, the use of devices with inadequate security, and poor password hygiene.
The easiest solution to solve the problem is to provide employees with an enterprise password manager. Password managers are the most widely used identity and access management solutions. They feature strong password generators to allow employees to set passwords that meet complexity requirements, and for unique passwords to be generated for all accounts. Crucially, they improve the user experience as passwords do not need to be remembered – only one password needs to be remembered to access the password management solution. That “password” can be a long passphrase of 12 or more characters which is sufficiently resistant to brute force tactics yet easy to remember.
“Identity and access controls are core components for addressing many future-of-work imperatives. As the number of daily login events rises, the user experience increases in importance. Enterprise password management (EPM) addresses security requirements while providing a consistent and comfortable user experience,” said Mark Child, Research Manager at IDC.
The survey revealed 45% of respondent organizations have adopted a password management solution and the same percentage found that identity solutions such as Single Sign-on and multi-factor authentication were a great choice, but the cost and resources for implanting those solutions made them unattractive.
“As we look to the future of the workplace, employers who embrace deploying a single, user-friendly solution will help ease the employee experience, which is why password managers are fundamental to securing identity and access within an organization,” said Katie Petrillo, Director of Product Marketing at LastPass.