Most organizations don’t enforce password best practices

Register now

A majority of IT decision makers think they have sufficient password protection in place, but most are failing to ensure that users employ strong passwords.

Lack of adherence to stricter guidelines for passwords thus exposes their companies to increased security risks that can lead to data breaches, according to a new report from identity management tools provider OneLogin.

The company surveyed more than 500 U.S.-based IT decision makers and found that 87 percent said they have sufficient password protection policies in place. Many of the organizations don’t require user passwords to meet any requirements other than being a minimum length with upper and lower case characters and numbers, the report said.

Also See: Clinic pays ransom to recover from a hacking attack

Some 25 percent of respondents don’t require user passwords to meet a minimum length requirement, and less than half (41 percent) check employee passwords against common password lists. Only 24 percent require users to rotate passwords monthly or more, with 54 percent requiring users to rotate passwords on a quarterly basis.

Only 42 percent of respondents are using single sign-on (SSO) technology to manage internal access to organizational applications, and 34 percent use SSO to manage external access to company applications.

“Passwords alone are not enough to secure your company,” says Alvaro Hoyos, the chief information security officer at OneLogin. “Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern multi-factor authentication.”

For reprint and licensing requests for this article, click here.