Forrester: Passwords are Here to Stay, Here’s How to Deal With It

Passwords, with all of their issues and rumored replacements, are here to stay—at least for the time being—according to a new research report from Forrester.

In 2015, passwords remain “the most common form of user authentication for apps and systems,” according to the Cambridge, MA-based tech research and analysis firm. The truth is that until we can find an adequate replacement for the ubiquitous username-password combination, Security and Risk (S&R) professionals have no choice to coexist with passwords while their organizations assess alternatives.

But that doesn’t mean we have to take the lost productivity and frustration commonly associated with lost or reset passwords lying down, according to Forrester’s new report, Benchmark Your Employee Password Policies and Practices.

The report, based on a survey conducted by Forrester in 2015 to identify firms’ “current password policies, usage, and challenges,” offers guidance and recommendations on password management that S&R pros can use to manage the costs and risk associated with managing employee and customer identity. So what exactly did Forrester find in their survey of 70+ large organizations? Here a few key takeaways from the 18-page report (available here) you can use to benchmark your own password and identity management policies:

Password structures and Policies are Becoming Standardized

As noted above, though the “kill the password” warcry is growing louder, passwords remain “a necessary evil,” as Forrester puts it. But that doesn’t mean they need to be a messy ordeal. One of the primary findings revealed in Forrester’s survey data is that a sizeable majority of firms have adopted consistent, organization-wide password policies based on password length, number of characters, and frequency of change.

According to Forrester’s research, 77% of firms require quarterly passwords changes for employees, and 81% of firms store employee password histories to prevent passwords from being reused, a recommended best practice.

Forrester recommends that security teams not following these protocols, and other best practices listed in the report revisit thier current policy and consider strengthening it, especially for high-risk and privileged users.

Password Troubles Continue to Cost Organizations Productivity

Despite the growing number of organizations following best practices and protocol for password monitoring and management, many organizations are still dealing with the headaches, lost productivity, and financial cost associated with forgotten, reset, or locked passwords. Forrester’s survey data shows that  the cost and frequency of passwords issues are not decreasing,

As an example, Forrester examines a large US-based public university, with over 300,000 total users (including students, faculty, and administrators). Forrester found that in 2014, that university’s users completed an average of nearly 8,000 password resets per month and that nearly 50% of users requesting a password reset could not complete that action via self-service. That meant the IT help desk had to field an average of 890 calls per month just to reset passwords— that’s a lot of productivity lost waiting for IT to provision or change user access. To combat this loss, Forrester recommends several best practices, including the use of automatically provisioning Identity and Access Management (IAM) solutions.

Cloud Security Concerns are Not Influencing Security Policy as Much as We Thought

Even as enterprise adoption of public cloud services hits record numbers, security concerns often remain the most common excuse for avoiding the use of public cloud services, but Forresters research shows that, while CISOs may have no trouble voicing their concerns over cloud security, they aren’t exactly acting on them.

S&R pros understand the cloud security risks, says Forrester, but they aren’t strengthening password requirements for SaaS and other cloud apps. According to the report, the majority of firms surveyed apply the same old password policies and protections they use for on-premise apps to cloud apps. This may be done to create a consistent and easy employee experience, but using the same policy for both on-prem and cloud apps can greatly increase risk, warns Forrester.

Interested parties can download Forrester’s report in full. Inside, you’ll get a full breakdown of these issues, as well as best practices for resolving them, and Forrester’s take on:

• The State Of Employee Passwords: Trends Good, Bad and Ugly
• How IAM Can Help Ease the Password Burden
• How to Tackle Password Challenges and Plan For The Future

Get the full report.