Old password habits die hard … if they ever die at all

bad password habits

If there’s anything that security and IT teams hate more than managing credentials, I certainly can’t think of it. Users hate having to manage their passwords and they tend to do so poorly. And that, in turn, leads to password reset request calls — among the most costly of helpdesk service call types. (By the way, if your organization hasn’t already automated this particular process, what are you waiting for?)

Of course, none of this is new. You’d think, in the nearly 20 years since the web and password explosion began, that we’d all have become better with passwords by now. Unfortunately, we haven’t.

Consider identity and access management provider SailPoint’s 10thAnnual Market Pulse Survey. This survey found enterprise user password hygiene to be getting worse, not better.

First up is a big “no no” regarding password reuse. Using passwords and usernames across websites and cloud services is dangerous, primarily because if one site is cracked then the other sites where passwords are reused can become at increased risk. One of the first things attackers do when they come across a trove of usernames and passwords is to try them against other sites.

According to SailPoint, 75 percent of respondents admitted that they reuse passwords across sites, and 47 percent of respondents admitted to reusing passwords across both employer and personal accounts. This bad habit has grown worse over the past four years, having increased by 19 percent over that period.

Fascinatingly, 15 percent of survey respondents — that’s one in seven — would sell their passwords to someone else, often for less than $100.

What’s the takeaway here for security managers and identity teams? It’s to a.) make sure all user credentials are managed properly and b.) enforce good security hygiene — because it’s clear end users won’t do it on their own.

The SailPoint survey found a number of interesting generational differences, too, when it comes to passwords:

  • Those ages 18 to 25 were found to have the worst password practices
  • 87 percent of 18 to 25 year-olds reuse passwords across different accounts compared to 75 percent of all employees
  • 60 percent of 18 – 25 year-olds use the same password across work and personal accounts compared to 47% of all employees
  • 28 percent of 18 – 25 year-olds would provide their passwords to a third party compared to 15 percent of all employees and just 4 percent for those aged over 55

While it’s true everyone hates passwords. I know I certainly do. Unfortunately, they are here to stay for the foreseeable future. To make passwords as effective as possible, this survey shows organizations need to increase password security training and awareness, and when possible automate the management and enforcement of good password policy.


Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.