News

Businesses fail to manage passwords effectively

UK IT leaders are putting business data at risk by not effectively managing employees’ passwords, according to OneLogin

Despite 98% of IT decision makers having company guidelines in place around password complexity, and 95% feeling their current password protection measures and guidelines provide adequate protection for their business, there is still a lot of work to be done. Two-thirds (66%) don’t check passwords against common password lists and more than three-quarters (78%) don’t check employee passwords against password complexity algorithms. This poor password hygiene is leaving UK businesses vulnerable to cyber-attacks.

In conjunction with World Password Day, OneLogin surveyed 300 IT decision makers across the UK, to uncover their attitudes towards password hygiene and the emphasis placed upon internal policies to protect business networks. Unveiling stark differences between the policies in place to protect business networks and how the attitudes translated through to employee password requirements.

"This report should be a reminder to every business leader in the UK to carefully review their password management," said Thomas Pedersen, OneLogin's chief technology officer and founder. "Cybercriminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords."

Companies lack consistent password fundamentals

While the majority of respondents practice good password hygiene, many respondents indicated that basic fundamentals are often lacking:

•Fewer than 19% (18.7%) check passwords against rainbow tables

•Over half (51%) don’t require special characters

•Just under half don’t require numbers (47%) and upper and lower case (37%)

Poor password hygiene leaves corporate applications vulnerable

Mandatory requirements for internal corporate applications are also concerning:

•Only 53% require single sign-on (SSO) integration

•Only 35% have implemented password complexity policies

•70% have not implemented password rotation policies

"Companies need to adopt a security-first approach with simple identity and access management features, such as OneLogin, to streamline their password resets and implement SSO and MFA tools and best practices,” added Pedersen.