IT leaders in the United States are putting business data at risk by not effectively managing employees’ passwords, according to OneLogin research.
Despite the fact that 91% report they have company guidelines in place around password complexity, and 92% believe their current password protection measures and guidelines provide adequate protection for their business, the results suggest there is still a lot of work to be done.
OneLogin surveyed 300 IT decision makers across the U.S. to discover their attitudes towards password hygiene. Respondents indicated that nearly two-thirds (65%) don’t check employee passwords against common password lists and more than three-quarters (76%) don’t check employee passwords against password complexity algorithms. This poor password hygiene is leaving U.S. businesses vulnerable to cyber-attacks.
“This report should be a reminder to every business leader to carefully review their password practices,” said Thomas Pedersen, OneLogin’s chief technology officer and founder.
“Cybercriminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords.”
Companies lack consistent password fundamentals
While the majority of respondents practice good password hygiene, many respondents indicated that basic fundamentals are often lacking:
- Fewer than 15% check passwords against rainbow tables.
- Around one third (32%) don’t require special characters or a minimum length (35%).
- More than one in four don’t require numbers (71%) and upper and lower case (72%).
- One-fifth of U.S. businesses rotate passwords less than twice per year.
Poor password hygiene leaves corporate applications vulnerable
Mandatory requirements for internal corporate applications are also concerning:
- Only 42% require single sign-on (SSO) integration.
- Only 39% have implemented password complexity policies.
- 63% have not implemented password rotation policies.
“Companies need to adopt a security-first approach with simple identity and access management features to eliminate passwords via SSO and protect access via MFA,” added Pedersen.