Bad password habits can drive your business' security team crazy. But they also have a major security implication for us personally. Some new data related today highlights what some of the issues are and what we can do about them.
The SailPoint 2018 Market Pulse Survey found that despite the risks, most of us are doing a pretty poor job of protecting our user accounts and personal data.
For example, it found four in five Australian respondents reuse passwords across different accounts, which is more than the global average of 75%. And almost half of us duplicate passwords across work and personal accounts, which is about the same as the global average. 17% of respondents in Australia change their work passwords two or fewer times per year at work while, for personal accounts, almost three-quarters of Aussie respondents change their password two or fewer times per year.
The password itself is crappy. It’s a fundamentally flawed mechanism for securing our accounts and data that should have died long ago. That means poorly crafted passwords are doubly bad. But with the release of iOS 12 and recent updates to Android, truly terrible passwords—your 123456, facebookpassw0rd, or dEadP3tsnAme—have lost all reason to exist.
The issue of password re-use is getting worse despite all the publicity around how it is exploited by bad guys who steal credentials from one place in order to infiltrate another. Since SailPont first asked the question 4 years ago, the reuse of passwords for multiple accounts has grown nearly 20%, highlighting that poor user password hygiene is a major problem for organisations.
Incredibly, around one in seven (15%) of respondents would consider selling their workplace passwords to a third party if the price was right.
Unsurprisingly, many of us think the IT can be a source of inconvenience in their organisation but just 24% of respondents who say they (or one of their colleagues) have purchased and/or deployed software without IT’s help, compared to the global average of 31%. So, while we're not happy with IT, we don't take matters into out own hands as much as out overseas counterparts. Interestingly 11% of wouldn't tell IT immediately, potentially making a bad situation much worse - although that's not all that far off the global average of 13%.
SailPoint also noted that the emergence of bots in workplaces has created a new class of "user" that needs to be managed. As automation expands in response to the volume of data we handle and the velocity it needs to be accessed, there's a decreased understanding of exactly what data a business is holding, where it's kept and precisely who access it and how they get to it. This increased complexity is creating new ways for bad guys to exploit vulnerabilities and making it harder to good guys to protect their assets.