Cybersecurity In-Depth

The Edge

Passwords: Do Actions Speak Louder Than Words?

For most of us, passwords are the most visible security control we deal with on a regular basis, but we are not very good at it.

Whether we as a whole are doing better or worse in terms of password security is still unclear, but one thing is certain: We are clearly overconfident in our perceptions about our security activities.

With adversaries increasingly targeting passwords to break into online accounts or gain access to corporate networks, people are both more aware about password security yet not doing enough to secure their credentials. Two-thirds of respondents (66%) in a recent password security survey conducted by Ipsos on behalf of Google said they use completely random passwords with a mix of characters, but 65% also said they reuse passwords for different online accounts.

There is some indication that users are using technology to improve password security: Sixty-one percent of respondents said they sign into sites using another service (such as Apple ID or Google accounts), according to the Google/Ipsos survey, and 44% said they use a password manager service. Yet 63% said they track passwords by writing them down on paper or making a note on their mobile devices. 

Who Has 2FA?
Two-factor authentication (2FA) is another head-scratcher. Almost three-quarters (73%) of respondents say they use 2FA at least some of the time, but the adoption numbers from individual services tell a different story. Just 2.5% of active Twitter accounts had at least one 2FA method enabled as of June 2021, according to the social media company’s transparency report. Only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, according to Microsoft-owned GitHub

Perhaps the figures indicating a high rate of adoption for multifactor authentication (MFA) are skewed by the gamers on platforms that offer incentives to enable them. In a 2019 study on adoption rates for 2FA, 56.7% of the respondents had a Blizzard account, of which 43.1% had activated 2FA authentication; 88.1% had a Steam account, of which 62.6% had activated 2FA; and 65.6% had a Guild Wars 2 account, of which 55% had activated 2FA. Compare that to 87.7% of respondents who had a Reddit account, but only 11.5% had activated 2FA.

There is a bit of a disconnect on the corporate side, too. In a recent study on identity management by ESG, 58% of organizations said they have implemented MFA, while 23% ranked MFA as the most effective identity and access management solution. Yet Microsoft said in its Cyber Signals report earlier this year that only 22% of all its Azure Active Directory customers use MFA.

In the same ESG report, 32% of organizations said they make MFA optional for employees, and 27% treat MFA as optional for third-party contractors and workers.

The post-mortem investigation of the ransomware incident at Colonial Pipeline found the attack succeeded because the compromised account did not have MFA enabled, says Bojan Simic, CEO and CTO of HYPR. In fact, while defense contractors should have also implemented MFA five years ago, many have not fully implemented it.

“MFA projects frequently exist on a planning chart only,” Simic says.