Very few users take appropriate action to significantly reduce the risk of password compromise, according to a Balbix report.
The study found that more than 99% of enterprise users reuse passwords, either across work accounts, or between work and personal accounts. Password reuse is widely prevalent due to the desire for convenience and speed when navigating various accounts. The report also discovered that on average, every single user password is shared across 2.7 accounts.
What’s more, the average user has more than 8 passwords shared between accounts, with 7.5 passwords shared between work and personal accounts and 0.8 passwords shared between internal and SaaS accounts.
“The rapid shift to remote work as a result of COVID-19 has simultaneously shifted the balance of control away from IT and towards employees,” said Abe Smith, cybersecurity veteran with decades of information security leadership roles in the Bay Area.
“Even well-intentioned users won’t have identity best practices, such as multifactor authentication and avoiding password reuse, in mind when adopting new tools. Security teams must find ways to automate identification of password risks.”
Compromised credentials, a widespread issue
Breaches caused by compromised credentials are not the result of a small minority of users with poor password hygiene – they are the result of a widespread issue. The report determined the key password related issues most responsible for the overall breach risk to the enterprise. They are listed in order of greatest risk below:
- Weak and default system passwords on domain controllers and other infrastructure components and services
- Cached credentials for logging into mission critical systems
- Privileged user machines with a high likelihood of breach logging into core servers
- Password reuse between work and personal accounts
Organizations have the least control over passwords
Considering different aspects of security, organizations have the least control over passwords. Users desire a high level of convenience, and while this is a common human behavior, organizations still must prioritize the issue of poor password hygiene to remediate associated risk.
“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of Balbix.
“In order to transform cyber security posture and increase overall resilience, enterprises must systematically address the weaknesses in their password strategies, adopting proven technologies such as multifactor authentication and password managers.”