UK IT Bosses Failing on Password Best Practices
UK IT managers are exposing their organizations to unnecessary risk by failing to adhere to best practices around password security, according to OneLogin research.
Released on World Password Day today, the poll of 300 IT decision makers revealed a worrying gap between perception and reality.
Although nearly all respondents (98%) had company guidelines in place to protect passwords and a similar number (95%) claimed such measures were adequate, the research highlighted several shortcomings.
For example, two-thirds (66%) admitted they don’t check employee passwords against common credential lists, and even more (78%) don’t check for password complexity.
What’s more, just 53% require single sign-on (SSO) and less than half require numbers (47%) and upper and lower-case characters (37%).
"This report should be a reminder to every business leader in the UK to carefully review their password management," said OneLogin CTO, Thomas Pedersen. "Cyber-criminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords."
Experts used the awareness-raising day to call for an end to static credentials.
“Maybe it’s time to retire ‘World Password Day’ in favor of ‘World Authentication Day’,” argued Tripwire VP of product management, Tim Erlin.
“The password is the least secure component in most authentication systems, and passwords alone are no longer sufficient. World Password Day is a good day to set up multi-factor authentication (MFA) everywhere you can.”
Colin Truran, principal technology strategist at Quest, welcomed the growing popularity of MFA but argued that firms need to go further.
“Today things are starting to change and I am encouraged to hear many more organizations turning to multiple levels of biometric identification, including government bodies,” he added.
“Of course, it’s a huge responsibility to hold such biometric information in our consumer and user base, so this information must itself be protected by something better than a password! Let’s try to make this day a day of remembrance rather than a reminder of our reluctance to let go of an outmoded concept.”
Source: Information Security Magazine