Since World Password Day is the big news this week, there are a ton of study reports about password woes in the news. According to a Balbix study report, 99% of enterprise users reuse passwords either across work accounts, or between work and personal accounts. The report goes on to give statistics about password sharing, and states that the rapid uptick of remote working due to the Covid19 crisis has shifted the balance of control away from IT and towards employees.
Another report, released by SecureAuth, shows that management is worse than junior staff at practicing good password hygiene. Their survey states that 53% percent of people admitted to reusing passwords across multiple accounts. Among respondents using the same password, 62% said that they are using it across three to seven accounts; 10% said that they are using over 10 accounts with the same password. The article also highlights that people are so bad about this simply because keeping track of a number of different passwords is difficult and time consuming. Not to mention the fact that users need to change all those passwords regularly!
Another article sites the results of several password practices studies to state that, due to the Covid19 crisis, remote workers may be exposing their personal and business accounts to the risk of takeover due to poor password security. One study cited in this article also goes on to report that 17% of users share their work device password with a child or spouse, and that 36% of respondents admit to not having changed their home Wi-Fi password in over a year.
Another thing to consider is the ready compromise of even compliant, unique passwords due to phishing techniques. Phishing has proven itself to be the most successful password attack vector over recent years. Even veteran system users can occasionally be taken in by a clever phishing ploy.
Considering all of this, don’t you think it’s about time to bite the bullet and implement strong multi-factor authentication (MFA) techniques across the board!? Working with some of the most talented white-hat hackers in the world has shown me how easily a cyber criminal can compromise systems and move laterally across networks simply because of weak and shared passwords. It also has shown me how properly implemented MFA can thwart most of those attacks. There are only three factors one can use to identify oneself: something you know, something you have and something you are. I suggest using at least two of these factors. Better yet, why not use of all three?