{"id":787,"date":"2016-02-02T02:30:04","date_gmt":"2016-02-02T06:30:04","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=787"},"modified":"2016-02-02T15:39:11","modified_gmt":"2016-02-02T19:39:11","slug":"forrester-passwords-are-here-to-stay-heres-how-to-deal-with-it","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/forrester-passwords-are-here-to-stay-heres-how-to-deal-with-it\/","title":{"rendered":"Forrester: Passwords are Here to Stay, Here’s How to Deal With It"},"content":{"rendered":"

\"\"<\/a>Passwords, with all of their issues and rumored replacements, are here to stay\u2014at least for the time being\u2014according to a new research report from Forrester.<\/p>\n

In 2015, passwords remain \u201cthe most common form of user authentication for apps and systems,\u201d according to the Cambridge, MA-based tech research and analysis firm. The truth is that until we can find an adequate replacement for the ubiquitous username-password combination, Security and Risk (S&R) professionals have no choice to coexist with passwords while their organizations assess alternatives.<\/p>\n

But that doesn\u2019t mean we have to take the lost productivity and frustration commonly associated with lost or reset passwords lying down, according to Forrester\u2019s new report<\/a>, Benchmark Your Employee Password Policies and Practices<\/em>.<\/p>\n

The report, based on a survey conducted by Forrester in 2015 to identify firms’ “current password policies, usage, and challenges,” offers guidance and recommendations on password management that S&R pros can use to manage the costs and risk associated with managing employee and customer identity. So what exactly did Forrester find in their survey of 70+ large organizations? Here a few key takeaways from the 18-page report (available here<\/a>)\u00a0you can use to benchmark your own password and identity management policies:<\/p>\n

Password structures and Policies are Becoming Standardized<\/strong><\/p>\n

As noted above, though the “kill the password” warcry is growing louder, passwords remain “a necessary evil,” as \"Forrester_Ping_Figure1\"<\/a>Forrester puts it. But that doesn’t mean they need to be a messy ordeal. One of the primary findings revealed in Forrester’s survey data is that\u00a0a sizeable majority of firms have adopted consistent, organization-wide password policies based on password length, number of characters, and frequency of change.<\/p>\n

According to Forrester’s research, 77% of firms require quarterly passwords changes for employees, and 81% of firms store employee password histories to prevent passwords from being reused, a recommended best practice.<\/p>\n

Forrester recommends that security teams not following these protocols, and other best practices listed in the report<\/a> revisit thier current policy and consider strengthening it, especially for high-risk and privileged users.<\/p>\n

Password Troubles Continue to Cost Organizations Productivity<\/strong><\/p>\n

Despite the growing number of organizations following best practices and protocol for password monitoring and management, many organizations are still dealing with the headaches, lost productivity, and financial cost associated with forgotten, reset, or locked passwords. Forrester’s survey data shows that \u00a0the cost and frequency of passwords issues are not decreasing,<\/p>\n

As an example, Forrester examines a large US-based public university, with over 300,000 total users (including students, faculty, and administrators). Forrester found that in 2014, that university’s users completed an average of nearly 8,000 password resets per month\u00a0and that nearly 50% of users requesting a password reset could not complete that action via self-service. That meant the IT help desk had to field an average of 890 calls per month just to reset passwords\u2014 that’s a lot of productivity lost waiting for IT to provision or change user access. To combat this loss, Forrester recommends several best practices, including the use of automatically provisioning Identity and Access Management (IAM) solutions.<\/p>\n

Cloud Security Concerns are Not Influencing Security Policy as Much as We Thought<\/strong><\/p>\n

Even as enterprise adoption of public cloud services hits\u00a0record numbers<\/a>, security concerns often remain the<\/a> most<\/a>\u00a0common<\/a> excuse for avoiding the use of public cloud services, but Forresters research shows that, while CISOs may have no trouble voicing their concerns over cloud security, they aren’t exactly acting on them.<\/p>\n

\"Forrester_Ping_Figure2\"<\/a><\/p>\n

S&R pros understand the cloud security risks, says Forrester, but they aren’t strengthening password requirements for SaaS and other cloud apps. According to the report, the majority of firms surveyed apply the same old password policies and protections they use for on-premise apps to cloud apps. This may be done to create a consistent and easy employee experience, but using the same policy for both on-prem and cloud apps can greatly increase risk, warns Forrester.<\/p>\n

Interested parties can download Forrester’s report in full. Inside, you’ll get a full breakdown of these issues, as well as best practices for resolving them, and Forrester’s take on:<\/p>\n