Most Organizations Have Password Policies, But Half Don’t Enforce Them
IT professionals have company guidelines around password complexity and reuse, but they are not often enforced, reflecting a complacent attitude towards password security, a survey released today by cloud-based identity and access management provider OneLogin suggests.
Ninety-three percent of respondents said that their company has guidelines around password complexity, while 87 percent of IT decision-makers feel they have adequate password protection measures in place. Most of these guidelines require passwords to meet a minimum length, use a mix of upper and lower case letters, and use numbers and special characters.
Less than one-quarter (24 percent) of respondents require employees to rotate passwords on a monthly basis, with 53 percent of respondents requesting passwords be changed on a quarterly basis.
According to OneLogin, less than half (49 percent) of respondents require their internal users to follow a basic password complexity policy.
The common password guidelines described by respondents to the OneLogin survey are out of touch with the most current recommendations from the National Institute of Standards and Technology (NIST), released in June.
Though designed for use by federal agencies, the guidelines have been referenced by private companies over the years as guiding best practices around password security. The latest guidelines reversed a lot of common knowledge around passwords, including doing away with the requirements to include numbers and special characters. The new guidelines suggest passwords should be much longer, include phrases and typical English words, and they never need to expire.
“Passwords alone are not enough to secure your company,” Alvaro Hoyos, chief information security officer, OneLogin said. “Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern Multi-Factor Authentication.”
Less than half (42 percent) of respondents use Single Sign-On (SSO) to manage employee access to corporate applications, as 34 percent use SSO to manage external access to company apps. Thirty-six percent of respondents use multi-factor authentication (MFA) for internal access, with 34 percent using MFA to manage external access.
Hoyos recommends that organizations use applications that support SAML or OpenID Connect for user authentication to mitigate risks like password reuse or weak passwords because it removes passwords from the equation. He also suggests using modern MFA technology to ensure OTPs cannot be stolen or re-directed to a hacker’s account. Lastly, he recommends deploying monitoring tools that spot anomalies with account logins.