Enterprises still struggle with password policies
Passwords and their effectiveness is a subject that continues to come under the spotlight, particularly with the publication of a recent United States National Institute for Standards and Technology (NIST) document recommending a move to passphrases.
Security awareness training specialist KnowBe4 has carried out a survey of 2,600 IT professionals to look at how organizations are managing passwords and determine how the proposed passphrase concept stacks up against methods currently in use.
The findings reveal that 44 percent of respondents overall, (large organizations with 1,000+ employees and small to mid-size businesses), think a passphrase of around 25-characters could work, compared to 35 percent who don’t believe it to be a viable option for their organization.
Other findings are that nearly 97 percent of large organizations have an enforced password policy compared to 88 percent in small to mid-size organizations. A majority (63 percent) of organizations do not allow password re-use, however, this does not prevent employees from using the same password on multiple sites.
Almost half (49 percent) of large organizations believe their current password policy is insufficient, while 48 percent of small to mid-size organizations believe their password policy is good enough. Large organizations (1,000+ users) prefer multi-factor authentication (MFA) with only 38 percent stating they don’t use it, compared with 62 percent of small to mid-size organizations that don't use MFA.
"Passwords are a known weakness in corporate security and have come under more intense scrutiny recently. Most organizations have password enforcement in place, but most aren’t taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication," says Stu Sjouwerman, CEO of KnowBe4. "It is well-known that employees are the weakest link in security and that includes password usage. IT can’t expect employees to put password policies in place on their own. It’s an effort that IT must lead."
In order to encourage businesses to use better passwords, KnowBe4 has launched a free weak password test tool which is available from its website.