Research from OneLogin Finds Weak Passwords are Imposing Millions of Dollars in Unnecessary Risk on US Firms

Share Article

IT Decision-Makers are Failing to Follow even the Most Basic Password Protection Policies

Passwords alone are not enough to secure your company

A new research report from OneLogin, the identity management provider bringing speed and integrity to the modern enterprise, finds that 87% of IT decision-makers believe they have sufficient password protection policies in place. But in reality, most IT decision-makers are failing to ensure strong passwords, exposing their companies to increased security risks that can lead to breaches with an average cost of $7 million to fully remediate, according to IBM Security.

The study, which surveyed more than 500 US-based IT decision-makers with influence over their company’s security systems, discovered that many businesses don’t require user passwords to meet any requirements other than being a minimum length with upper and lower case characters and numbers.

Here is an overview of the key findings:

  • Companies aren’t enforcing basic password requirements - Approximately a quarter (25%) of respondents don’t require user passwords to meet a minimum length requirement. Less than half (41%) of respondents check employee passwords against common password lists. Only 24% of respondents require users to rotate passwords monthly or more, with just about half (54%) enforcing users to rotate passwords on a quarterly basis. Because stolen credentials are uploaded to the Internet daily, password rotation is one way companies can stay ahead of hackers.
  • IT decision-makers are under the false impression they have sufficient password policies in place - The study finds 93% of respondents have company guidelines around password complexity with 87% of respondents believing these guidelines provide sufficient protection for their organization by ensuring that users choose hard-to-guess passwords. However, only 49% of respondents require their internal users to follow a basic password complexity policy.
  • IT decision-makers aren’t taking advantage of technologies that can help strengthen password-based access management - Only 42% of respondents are using Single Sign-On (SSO) to manage employee access to corporate applications with even fewer (34%) using SSO to manage external access to company apps. The use of multi-factor authentication (MFA) is even more discouraging with only 36% using MFA internally and 34% using MFA to manage external access.

These results demonstrate that companies aren’t doing enough to ensure adequate password protections. In addition to enforcing basic password protection guidelines, companies need to be investing in technologies that can help provide another layer of security. Not doing so could lead to significant costs, since the average cost for a US company to remediate a data breach is $7 million, according to IBM Security’s 2017 Cost of Data Breach study. These costs include unexpected loss of customer business, product discounts, forensic and investigative activities, and legal expenditures.

“Passwords alone are not enough to secure your company,” said Alvaro Hoyos, chief information security officer, OneLogin. “Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern Multi-Factor Authentication.”

According to Hoyos, businesses should consider the following to reduce their risk exposure due to weak passwords:

  • Choose applications that support SAML or OpenID Connect for user authentication. Applications are the front door to company data. When an app supports SAML (Security Assertion Markup Language) or OpenID Connect, it removes passwords from the equation, so common risks like password reuse or weak passwords are effectively mitigated.
  • Not all MFA is created equal. It’s not enough to just use any MFA technology. For example, one-time passwords (OTPs) sent over SMS are easier to compromise than other authentication factors. Modern MFA ensures that OTPs cannot be stolen or re-routed to a hacker-controlled account. Several solutions also evaluate additional data attributes surrounding the MFA request to make a more informed decision on whether it’s legitimate.
  • Monitor for failures. Preventive controls, such as passwords, are bound to fail at some point. Deploy monitoring tools to increase the chances of detection by looking for anomalies. For instance, is a user successfully logging in from a remote location when they usually work from the office? Being able to detect anomalous activity is crucial when cybersecurity attacks are constant.

To learn more about how to achieve more secure access to corporate applications, please visit https://www.onelogin.com/. For more information about the new research, contact onelogin(at)walkersands(dot)com.

About OneLogin, Inc.
OneLogin brings speed and integrity to the modern enterprise with an award-winning single sign-on (SSO) and cloud identity and access management (IAM) platform. Our portfolio of solutions secures connections across all users, all devices, and every application, helping enterprises drive new levels of business integrity, operational velocity, and team efficiency across all their cloud and on-premise applications. OneLogin manages and secures millions of identities around the globe. We are headquartered in San Francisco, California. For more information, visit http://www.onelogin.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Rosie Gillam
Visit website