LastPass study shines new light on global password security practices

Organizations have made strides when it comes to locking down user accounts, but there’s still more work to be done

Even as more businesses invest in password management solutions, most are still middling when it comes password security.

This is according to a new report from LastPass, which shines new light on password behavior in the workplace and aims to create a new benchmark that businesses can use to measure their progress when investing in password security.

Following an audit of anonymized LastPass data from 43,000 businesses, the 2018 Global Password Security Report (registration required) reveals that the benchmark average security score – a combination of password strength and other factors – is 52 out of 100.

While a score of 52 ranks as ‘fair’, LastPass said the report shows a need for more effective policies and training, particularly when it comes to stamping out the use of weak, reused, old, and potentially compromised credentials.

“Many passwords could be stronger, and every one is a potential entryway to the business that should be protected and managed,” the company said.

Password control

Drilling into the stats, LastPass found that organizations with fewer than 24 employees have the highest average security score, and that this average drops as the company size increases.

“More employees bring more passwords and unsanctioned apps, as well as extra opportunities for dangerous password behaviors,” the report says.

“In larger organizations, it’s simply more challenging for IT to hold all employees to password security standards.”

And when it comes to industry sectors, technology leads the way, with an average security score of 52.

“Since many technology companies need to comply with privacy and data laws, it’s not surprising they lead the pack,” LastPass said.

“What is surprising, though, is that heavily-regulated industries like banking, health, insurance and government are not achieving comparable (or even superior) average security scores.”

Awareness and education

Offering guidance to businesses on the back of this latest report, Gerald Beuchelt, CISO at LogMeIn, makers of LastPass, told The Daily Swig: “Providing an enterprise-class password manager should be one of the first steps in improving your organization’s password security.

“Without a suitable, secure, cross-platform tool, employees cannot really be expected to manage hundreds of highly complex passwords and change them regularly.”

Beuchelt added: “Once this is available, awareness and education is key. Companies should make serious efforts to promote the tool and encourage employees to use it not only for their work life but also for their private accounts.”

Choose wisely

The use of password managers is generally regarded to be one of the most effective frontline measures to help users protect their online data.

However, while investing in a password management solution can greatly improve an enterprise’s security posture, this class of software is by no means flawless.

Back in December, the developers behind Keeper password manager, which comes bundled with Windows 10, announced they had patched a security vulnerability that could enable attackers to steal user credentials.

The following month, Tempest Security Intelligence researcher Filipe Xavier urged the estimated 20,000 people who had downloaded Handy Password to stop using the software after he identified a vulnerability that could give an attacker full control over their device.

LastPass – the authors of this latest study and one of the world’s better known password manager solutions – was itself in the security headlines last year, after it was revealed that a bug could have allowed malicious attackers to steal users’ credentials.

(A subsequent blog post from LastPass explained that the issue was related to an experimental feature, and that a fix was released before the vulnerability was disclosed.)

Of course, there’s no such thing as perfect software, and the use of password managers remains a far better alternative to reusing passwords across multiple accounts or storing credentials in plaintext.

Taking it a step further, the LastPass report points to the increased use of multi-factor authentication (MFA).

And as some security advocates continue in their quest for password-free future, the use of an up-to-date password manager, coupled with MFA, is one of the best ways to help ensure your data is protected.