Many Adopt Passwordless Authentication Yet Poor Password Practices Continue

Posted By: hipaainfo May 6, 2023

A new survey involving IT decision makers provided information about password management practices and the growing adoption of passwordless authentication. Password manager provider, Bitwarden, had conducted the Password Decisions Survey for the third year. Propeller Insights surveyed 400 American IT decision makers and 2,000 web users concerning their password practices, and behaviour towards password security and passwordless authentication systems.

The survey revealed that in the last 12 months, not much has changed indicating the difficulty of eliminating poor password practices. Password manager use dropped a bit year-over-year. 84% of IT decision makers claim they utilize password management software on the job, it was just 77% in 2021. The small change may be partly because of the LastPass data breach in 2022. Although the password manager wasn’t breached, hackers got access to an encrypted backup copy of the password vaults belonging to an unknown number of users.

In spite of this, many still think that password managers can enhance password protection and the survey shows that employees are demanding to have password managers. 79% of web users state that they want their employer to give them password managers. Although 84% of respondents stated they make use of a password manager at their workplace, the problem is the prevalence of the following poor password practices:

<1>  54% of respondents keep their passwords in a computer file
<2  depend on memory for passwords
29% write down their passwords (unchanged)
22% used the same password for over 10 years

Although 66% of IT decision makers stated they keep passwords safely by using a password manager, a big percentage use less safe solutions like email (41%), shared online files (38%), chat and messaging applications (30%), verbal sharing (27%), and written records (22%). Worryingly, 90% of IT decision makers confessed to using the same passwords at work. Of the survey respondents that reuse passwords, there is a reduction in the extent of reusage:

  • 11% use the same passwords on 15+ websites
  • 24% use the same password on 10-15 websites
  • 36% use the same passwords on 5-10 websites
  • 19% use the same password on 1-5 websites

Having two-factor authentication could considerably enhance security and 92% of survey respondents say they use it at work. The most prevalent reasons for not using 2-FA are

  • inability to comprehend its advantages
  • believing that passwords are enough to give protection
  • account hacking won’t happen
  • negative impact of extra authentication on workflows

In spite of the dangers of utilizing unauthorized software and hardware (shadow IT), 49% of employees and 32% of IT decision makers confessed to utilizing unauthorized devices and software programs. Almost all people who confessed to utilizing shadow IT (73%) stated they did that because it allows them to work more effectively. 52% stated they still utilized unauthorized hardware or software when they could not get authorization to utilize it, and 50% used it because of the IT department’s slow replies for authorization.

The growing expense of data breaches and the pace that they are happening has led organizations to get cyber insurance. 75% of surveyed IT decision makers stated they got cyber insurance policies, however, insurance companies require evidence of security measures prior to agreeing to offer insurance packages. The following are required by insurance companies according to IT decision makers:

  • security awareness training for employees (65%)
  • implementation of multifactor authentication (64%)
  • use of password manager (61%)
  • incident response plan (50%)
  • enough data backup processes (48%)
  • patching on a regular basis (28%)

Just 3% of organizations do not need to show any evidence of having these measures.

Concerns regarding password protection and the number of password-associated data breaches are pushing for the use of passwordless technology, for example, biometrics, security keys, and passkeys. 41% of respondents think passwordless authentication offers more effective security, 24% state it enhances the user experience, 17% state it decreases the pressure on the IT department, and 19% think it enhances productivity. 57% of U.S. respondents stated they were enthusiastic about passwordless technology, 49% stated they have deployed or plan to deploy the technology, but out of those that have began to use passwordless authentication, 87% still have not used it across the whole organization. Of the companies that have used the technology, 51% use biometrics, fingerprint, facial recognition or voiceprints, and 31% employ a physical item like a security key or FIDO auth.

The reasons for the unwillingness to adopt passwordless technology like fingerprints, face IDs and voice prints are:
the concern that it will be utilized against them said 36% of respondents
they opt to depend on memory for passwords, even if people that depend on memory still use much weaker passwords said 55% of respondents
they have to reset their passwords because they forgot them said 58% of respondents
it happens day to day said 12% of respondents.

Breach Notifications Do Not Provide Actionable Information on Breach Cause

The Identity Theft Resource Center (ITRC) report talks about the data compromises in Quarter 1 of 2023, which indicates a reduction in data breaches by 13% and a reduction in victims by 64% compared to the last quarter of 2022. In Quarter 1, 445 data compromises and 89,140,686 victims were publicly reported. Although it is good news to see fewer data breaches and victim count, the two stats usually decline in Quarter 1 of the year. The 13% decrease is much less compared to the decline from the corresponding time period last year when data breaches declined by 28.6%. The Quarter 1, 2023 statistics indicate a 10% increase in data breaches in comparison to 2022, and a 25.7% increase from Quarter 1 of 2021.

94% of data breach victims in Quarter 1 of 2023 came from data breaches in only 4 industries – Technology, Healthcare, Transportation, and Manufacturing & Utilities. Healthcare was the worst impacted sector for three consecutive quarters with 81 breaches. The financial industry with 70 breaches and manufacturing & utilities having 54 breaches. Two healthcare data breaches were on the top 5 list this quarter. The data breach at Independent Living Systems had 4,226,508 victims while the breach at Regal Medic, al Group had 3,300,638 victims.

37% or 84.9% of the data breaches were because of cyberattacks. 19.1% were because of the system and human mistakes (58 incidents). 48 data compromises were because of supply chain attacks that impacted 78 entities. 54 were confirmed ransomware attacks. Quarter 1 had 106 phishing attacks.

There is a tendency to not include essential data in data breach notifications to the point where certain breach notifications lack actionable details regarding the underlying reason for the breach. This makes it difficult for individuals to find out the level of threat that they deal with. The lack of data additionally makes it hard to get meaningful data about the causes of data breaches.