How can your enterprise encourage good password habits among your employees? Why does that matter to your overall identity and access management? How does it relate to your privileged access management (PAM)?
Earlier this week, we covered the latest Annual Global Password Security Report from LastPass by LogMeIn. In that report, we learned about some of the obstacles employees face to good password habits:
- Employees at small-to-medium-sized businesses must remember an average of 85 passwords.
- Even at larger enterprises, employees must keep track of an average of 25 passwords.
- Less than half of all enterprises use Single Sign-On (SSO).
However, this report only skims the surface of the obstacles to good password habits for enterprise employees; in fact, the majority of obstacles stem from employees again. According to the Harris Poll, conducted with a Google partnership, found employees reuse one password an average of 13 times. Meanwhile, about two-thirds of employees repeat their passwords for a wide variety of sites.
Additionally, while 40 percent of employees experience a breach, only 37 percent use two-factor authentication. 34 percent change their passwords on a regular basis and over half say they won’t bother to change their passwords in the aftermath of a breach.
Worse, their passwords may not prove effective. The Harris Poll found 60 percent of people study say their birthday is a part of at least one password. SplashData found nearly 10 percent of users selected at least one of the 25 worst passwords.
However, enterprises don’t always support good password habits. LastPass found only 36 percent of businesses enable policies of resetting their master passwords. Simultaneously, only 24 percent enforce strong master passwords requirements.
The Top Good Password Habits for Enterprise Employees
1. Prevent Recycled Passwords
Even though employees feel overwhelmed by the number of passwords they must remember, you can’t allow them to recycle passwords. Every reused password constitutes a potential vulnerability in your IT infrastructure and login portals. In fact, reused passwords have a higher chance of ending up in the Dark Web; thus, they could end up in the hands of hackers for password spraying attacks.
Instead, your enterprise should encourage employees to make strong, unique passwords for every account they use for their workflows. Fortunately, identity and access management capabilities can help with this:
These securely save and sync your credentials, allowing them to become more complex without overwhelming employees. Password managers can generate, retrieve, and keep track of impossibly strong or complex credentials. Additionally, they can store the passwords in an encrypted database.
Often, password managers combine with password vaulting. Password vaulting encrypts passwords, allowing only one password to access all of them.
One important thing to note about single sign-on; SSO does not mean the same thing as saving passwords in your browser or synchronizing devices. Instead, SSO acts as one capability and function of a next-generation identity and access management solution. Through SSO, a user logs in with a single username and password to access multiple systems. This enables them to only memorize a few sets of credentials, allowing them to improve their complexity and security.
2. Use Multifactor Authentication
Ironically, the best way to encourage good password habits is to take some of the burdens off of passwords. Thankfully, you can supplement passwords with two-factor and multifactor authentication (MFA). Two-factor authentication adds another layer to your authentication procedure; for example, in addition to a password, you can ask employees to provide a hard token. In other cases, your enterprise can ask employees to respond to an SMS message to their mobile devices.
MFA works in a similar manner, except adding new layers of authentication beyond the traditional two. These factors might include:
- Time of Access Request Monitoring.
- Physical Biometrics.
- Behavioral Biometrics.
- Hard Tokens.
- SMS Messaging.
Multifactor authentication subscribes to the principle of layered security; the more layers between the access request and database, the more secure it becomes.
Of course, hackers can always bypass authentication security protocols with enough time and resources. However, most hackers won’t bother; they would much rather target a low hanging fruit among enterprises. The stronger you make your cybersecurity, the fewer attacks you can expect (as ironic as that might feel).
Multifactor authentication encourages good password habits by in some ways making passwords somewhat less critical to identity security.
3. Stop Password Sharing
Few issues prove as toxic to good password habits and as ever-present among enterprises as password sharing. Indeed, good password habits are incompatible with password sharing. Further, password sharing can take many different forms.
Sharing passwords can include writing passwords down on paper or sticky notes or informing colleagues of passwords to bypass security. The former sees employees share their passwords unintentionally, while the latter demonstrates far too much trust in their colleagues.
Sharing passwords can lead to an increase in insider threats, as it prevents full accountability or monitoring over your users. It allows those insider threats too much access, far beyond their normal capabilities.
Thankfully, next-generation identity and access management solutions prevent a lot of password sharing; often, they need more than just passwords to receive access, making password sharing impossible.
How to Learn More
To learn more about how next-generation identity management encourages good password habits, check out our 2019 Buyer’s Guide. We cover the top solution providers in the market and their key capabilities. Also, we provide a Bottom Line Analysis on each vendor profile. Be sure to check it out here, as well as our other resources.
Latest posts by Ben Canner (see all)
- 2020 Vendors to Know: Identity Management - July 13, 2020
- 2020 Vendors to Know: Identity Governance - July 9, 2020
- 2020 Vendors to Know: Privileged Access Management - July 7, 2020