SAN JOSE, Calif. — Balbix Inc. released its State of Password Use Report 2020. The Balbix Security Analytics Team set out to determine the leading behaviors of password use in the enterprise as well as the key trends of breaches caused by compromised credentials. The findings of the report unveil that very few users take appropriate action to significantly reduce the risk of password compromise.
The study found that more than 99% of users reuse passwords, either across work accounts, or between work and personal accounts. Password reuse is widely prevalent due to the desire for convenience and speed when navigating various accounts. Balbix’s report also discovered that on average, every single user password is shared across 2.7 accounts. What’s more, the average user has more than 8 passwords shared between accounts, with 7.5 passwords shared between work and personal accounts and 0.8 passwords shared between internal and SaaS accounts.
“The rapid shift to remote work as a result of COVID-19 has simultaneously shifted the balance of control away from IT and toward employees,” said Abe Smith, cybersecurity veteran with decades of information security leadership roles in the Bay Area. “Even well-intentioned users won’t have identity best practices, such as multifactor authentication and avoiding password reuse, in mind when adopting new tools. Security teams must find ways to automate identification of password risks.”
Breaches caused by compromised credentials are not the result of a small minority of users with poor password hygiene — they are the result of a widespread issue. The report determined the key password-related issues most responsible for the overall breach risk to the enterprise. They are listed in order of greatest risk below:
- Weak and default system passwords on domain controllers and other infrastructure components and services;
- Cached credentials for logging into mission critical systems;
- Privileged user machines with a high likelihood of breach logging into core servers; and
- Password reuse between work and personal accounts.
Considering different aspects of security, organizations have the least control over passwords. Users desire a high level of convenience, and while this is a common human behavior, organizations still must prioritize the issue of poor password hygiene to remediate associated risk.
“Compromised, weak, and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of Balbix. “In order to transform cybersecurity posture and increase overall resilience, enterprises must systematically address the weaknesses in their password strategies, adopting proven technologies such as multifactor authentication and password managers.”
