According to authentication security key manufacturer Yubico, IT managers and end users still have a long way to go before password and authentication practices are strong enough to protect an entire organization.
The company last week released its second annual State of Password and Authentication Security Behaviors Report in conjunction with technology research organization Ponemon Institute. A survey of 2,507 IT and IT security practitioners and 563 end users in Australia, France, Germany, Sweden, the U.K. and U.S.
Despite years of warnings and high-profile cases of poor password practices, the report concludes that IT staff and individuals are both engaging in risky practices, and tools and processes put in place by organizations are not widely adopted.
That behavior has even continued after poor password security practices led to attacks, the report said.
Some key findings from the report:
- In some cases, end users report better security practices than IT professionals. Out of the 35% of individuals who said they were the victim of an account takeover, 76% changed how they managed their passwords or protected their accounts. For the 20% of IT professionals who were the victim of an attack, just 65% changed their practices.
- Further, individual users (39%) are less likely to reuse passwords across workplace accounts than IT experts (50%).
- Just over half of IT security professionals said their organization was the victim of a phishing attack, 12% said their employer experienced credential theft and 8% said it was a man-in-the-middle attack. However, just 53% of IT professionals said that was enough to change how passwords or corporate accounts were protected.
- While mobile use is on the rise, 62% of IT managers said their organizations don’t protect those devices as they do desktops.
- About half of both IT staff and end users share passwords with colleagues to access business accounts, 59% said they rely on human memory to manage passwords and 42% say they use sticky notes. Only 31% of organizations use a password manager.
To make sure everyone in an organization is using new security technology, it must be usable, simple and immediate, Yubico CEO Stina Ehrensvärd said in a statement.
“For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap,” she said.
“With the availability of passwordless login and security keys, it’s time for businesses to step up their security options. Organizations can do far better than passwords; in fact, users are demanding it.”