Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Average Employee Manages Nearly 200 Passwords

But single sign-on support lacks in over 50% of the most popular websites and services used by workers.

Employees use an average of 191 passwords to enter 154 times in a given month, racking up an estimated 36 minutes of password data entry during that time, according to a report released today.

The Password Exposé report, based on aggregated and anonymized data from over 30,000 LastPass customers, found that other industry reports often underestimate the number of credentials used and put the figure closer to an average of 27 passwords per employee.

In addition to enterprise apps, employees often use dozens of other apps while at work, such as advertising and analytics platform apps as well as demonstration apps, the report notes.

Meanwhile, companies and employees do not get full relief by using single sign-on (SSO) technology.

Although a number of enterprise apps have SSO capabilities, more than 50% of the most popular websites and services, such as Box, MailChimp, and LinkedIn, do not support SSO out of the box, the report states.

As a result, companies are left to put a business password manager in place to ensure all of those websites and services are "captured" and managed by IT policies, says Rachael Stockton, director of product strategy at LastPass.

Password vaults with multifactor authentication are enabled in 26.5% of the companies included in the report, a level that lacks broad enough adoption to offset the problems that enterprises face with passwords, according to the report.

"Multifactor authentication isn't supported widely enough across Web services, and isn't adopted frequently enough by businesses, to offset the risks that passwords pose," Stockton says. "While the business community is moving in the right direction, change is happening too slowly. Until universal coverage with multifactor authentication (or even behavioral or contextual authentication) is available, companies need to invest in strengthening the password-protected services in use across the entire organization."

Another recent study found that while corporate America's use of passwords remains prevalent, multifactor authentication is showing some signs of growth in the enterprise. Javelin Strategy & Research's 2017 State of Authentication Report found 100% of enterprises continue to use passwords, despite industry calls to ditch them all together or at least bolster security through a combination of passwords and other measures, such as biometrics and public key infrastructure.

Password vaults also grow exponentially, the study found. The average employee starts with 20 credentials in their password vault and within three months that number doubles, according to the report.

LastPass, in a report from last year, found that 91% of users were aware of the risks of reusing passwords, yet 61% continued with the practice.

Business and Personal Password Use Intermingled
Roughly half of the top 36 popular websites that employees access for work are consumer solutions, such as Dropbox, Google, and Evernote, the report states. But the owners of these accounts are likely the employees, even though sensitive work-related data is likely stored on these accounts.

"The line between 'business' and 'personal' apps is a blurry one. People are often using personal accounts in the workplace, and may even be doing work or sharing work data in those personal accounts," says Stockton.

The report also points to a recent Ovum study that found 23% of workers will use their social media credentials to log into business systems and applications, as well.

"It was very surprising to learn that businesses were allowing access to their data through sites protected only by personal passwords that they have no control over," Stockton adds.

In citing the problems with this practice, Stockton says the first one is control. When an organization allows an employee to log in via Facebook, then it is leaving all the password policy control, such as two-factor authentication, password rotation, and number of characters to the end user and raises the risk that a weak password is protecting access to critical business data, she says.

The second risk, Stockton observes, is that social media credentials are often reused and not very secure.

"If one social media website has a security incident, there's increased risk that attackers will find re-used credentials to access corporate accounts," she says. "You are basically outsourcing the password security for your company to another website."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SethRuden
50%
50%
SethRuden,
User Rank: Author
11/8/2017 | 12:59:09 PM
Re: Password management solutions
Service Provider authenticators will be forced to change or embrace the reputation risk of being a perpetuator of a zombie technologhy
craigk944
50%
50%
craigk944,
User Rank: Apprentice
11/3/2017 | 2:22:02 PM
191 Passwords - I have my doubts.
"How many unique passwords?" is the question.  The word unique is nowhere in the report. If you use the word "fred" as a password and have google save it for 50 websites, is that one password or fifty?   craig kensek
RussD653
100%
0%
RussD653,
User Rank: Strategist
11/2/2017 | 10:04:08 AM
Password management solutions
I for one use LastPass for my families passwords and management of the massive number of logins we have.

There is really no way to manage your personal passwords and logins without a combinations of solutions, like LastPass for the vault and Auth for two factor authentication.

 
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...