Businessman logging in to his tablet showing the continuing issues with reused and stolen passwords as shown in 2019 password security report
LastPass 2019 Password Security Report Shows Continuing Issues with Reused and Stolen Passwords by Scott Ikeda

LastPass 2019 Password Security Report Shows Continuing Issues with Reused and Stolen Passwords

Each year, password management software company LastPass publishes a report on business trends in credential management and password security. The 2019 report has just been released and is full of interesting findings.

Overall, businesses are increasingly adopting multifactor authentication methods and password generator solutions. But passwords are also still too frequently being reused between different accounts, and the majority of companies are still not requiring employees to create strong passwords. The more passwords employees are expected to juggle, the more these problems are amplified.

Trends in MFA adoption

LastPass surveyed over 47,000 international organizations that make use of its software to gauge trends in access and authentication in businesses worldwide. This year’s Global Password Security Report revealed a substantial increase in the use of multifactor authentication methods (MFA). The majority of companies (57%) have now implemented MFA for employees, up from 45% last year.

However, the “security score” that LastPass assigns to each company (based on their cyber security policies) remained at a relatively stagnant average. Part of this may be due to the nature of MFA methods in place; an overwhelming 95% of the companies surveyed are only using a software-based method, most often a temporary token generated by an app such as Duo Security or Google Authenticator. While this is certainly better than nothing, these methods have more potential vulnerabilities than hardware-based or biometric solutions. 4% of these companies have implemented a hardware MFA (such as a USB key), while only 1% have some sort of biometric MFA in place.

Larger businesses saw gains overall in security scores, but these were offset by backsliding by smaller organizations not keeping pace with technology and security best practices.

There is a correlation between the size of an organization and the likelihood of having MFA in place. 87% of businesses with over 10,000 employees have adopted MFA measures, but that number plummets to 34% of businesses with 25-100 employees and 27% of those with fewer than 25.

Business sectors that are necessarily more tech-savvy or security-conscious are also much more likely to have implemented MFA measures. 37% of tech industry respondents and 32% in banking are using it, versus 20% of insurance companies and law firms.

Robert Capps, VP of Market Innovation for NuData Security, provided some thoughts on the ideal way to implement MFA:

“Passwords alone, or combined with static security questions, have been an ineffective form of authentication for quite some time. Organizations and consumers should be moving forward to adopt additional security layers using multi-factor authentication (MFA), including biometrics, and strong cryptography. Although these options are stronger than a simple password or knowledge-based question, the stronger versions of MFA being adopted still only verify possession of a device or cryptographic key, but not that the correct user is using it. To bridge this gap, passive biometric and behavioral analytics are helping major companies worldwide to verify their customers using a combination of layers and triggering one or the other based on the level of risk. By adopting different verification layers, companies are gaining flexibility on how they verify each user and also on how they treat their customers. Adopting strong MFA techniques is a big step forward for security, but companies still need to keep working to know who they are really dealing with behind the screen.”

Though it is not addressed by this study, encrypting data “at rest” (while stored and inactive) is increasingly becoming a wise move for companies of all sizes that make use of cloud storage. As has been seen in the past two years, improperly secured S3 buckets and similar have increasingly become a popular form of breach thanks to automated tools that quickly sniff them out. This data is most frequently used in identity theft, and can contribute to future phishing campaigns.

Trends in password security

Employees definitely have password fatigue. The survey found that at larger companies with over 1,000 employees, the average employee was expected to have about 25 unique logins. That number shoots up to 85 at the smallest companies, far too many numbers and symbols for the average person to keep track of. Employees that do not have a password manager available to them will almost inevitably resort either to re-using passwords, or to common passwords that are easily cracked by dictionary attacks.

The number of passwords an employee is expected to manage also varies greatly depending on their industry. Those that work in media or in a marketing profession have the most on average, with 97 passwords per employee. Government workers are at the bottom of the list, but still have an average of 54 passwords to contend with. Given all of this, it’s unsurprising to hear that employees re-use their passwords an average of 13 times.

Smaller companies are also more subject to password security problems due to limited resources. For example, a small company may only be able to purchase one license for a piece of software. The login credentials for that software are then shared across the entire organization. Not only is the risk profile increased, but complex passwords are rarely chosen in these situations as employees will forget them.

Companies have been slow to adopt password vault access on mobile phones, but there is a clear correlation with availability of it and consistent employee use. Employees are 30% more likely to use password managers if it can be done from their phones, but only 23% of companies have added this as an option.

Locking down logins

The vast majority of breaches begin with a compromised password, usually obtained through targeted phishing of employee email accounts or social media profiles.

While LastPass obviously has a stake in selling their own password security product here, there is nevertheless a strong case to be made for the use of password management software – particularly at small organizations where employees are awash in unique logins and shared credentials. At minimum, login manager software tends to cut down dramatically on brute force password cracking.

And though this is not a new revelation, employee training and mandatory password strength policies are critical. Password security training is not effective if it is done just to tick a requirement box once every year or so; employees need to have ongoing awareness of organizational security and a good understanding of why a unique password for each login is vital to protect the company from a data breach.

The overall theme here is that employees are prone to poor password security and to falling for phishing emails, and that means solutions have to start from the top. It’s up to company admins to create and enforce good password behaviors and MFA strategies as well as ensure that employees are continually trained on the importance of cyber security and the value of personal information. It also greatly helps when governments take the lead; companies located in highly regulated areas, such as the EU and Australia, tended to have the highest levels of password security awareness.