password practices

What the Ponemon Authentication Report Discovered About Password Practices in the Workplace

In Security by Kirk WrightLeave a Comment

password practices

This year is not even halfway over, and yet there have already been numerous data breaches that made the news—with Collection #1 being just one of them. Such attacks should serve as constant reminders that you need to better protect your passwords and other personal information if you want to reduce your odds of becoming the next victim of cybercrime. That’s why it’s a great time to read the latest research from The Ponemon Institute and Yubico, which just released the 2019 State of Password and Authentication Security Behaviors Report. It includes feedback about password practices and privacy concerns from 1,761 IT and IT security professionals across the United States, the United Kingdom, France, and Germany. Here’s a sampling of what the report found.

How Security Concerns Have Affected Personal Password Practices

Most people—63 percent–who took part in this study said they’re more concerned about the security of their private data now than they were within the last two years. What’s the main reason for that? About 59 percent of people are most concerned about government surveillance, while 51 percent are worried about the increased use of mobile devices, like tablets and smartphones.

Concerns about data breaches come in at numbers four and five on this report, as 35 percent said they’re worried about privacy because they know someone who was a victim of a data breach, and 33 percent were victims themselves. Interestingly, though 51 percent said they’ve been victims of phishing attacks, 57 percent stated this didn’t change how they manage passwords now.

Granted, 43 percent of respondents did say the phishing attacks have changed their password practices. Namely, 47 percent use stronger passwords and 43 percent change their passwords more often. And 41 percent use two-factor authentication whenever possible.

Password Risks at Work

Phishing attacks can occur at work, and though most people are aware of this, many do nothing to prevent it. This study found that 57 percent of respondents said their coworkers are not very vigilant to prevent phishing scams at work.

After all, 69 percent of respondents admitted they’ve shared passwords with others in the office. They also often reuse passwords, with the average password being reused 5 times across different personal and business accounts.

Account Security within Organizations

This report found that personal information from customers is the top priority for organizations trying to protect data, as 47 percent are most committed to securing this type of information. That’s closely followed by employee information, as 45 percent want to protect that. Marketing and sales is next on the list, at 37 percent, while 34 percent want to protect confidential financial information.

The most common way to protect data is to have SMS codes sent to a mobile device, as 37 percent said that’s the technology they use to complement passwords. About 33 percent said they use a hardware security token. As far as passwords go in the workplace, 61 percent said their company has a password policy, but only 39 percent said it’s actually enforced. And just 18 percent said they have to use a password manager at work, as 53 percent said human memory is the most common way to remember passwords.

How Password and Authentication Practices Differ by Age

This report found that older people tend to be more concerned about data security than younger people overall. For example, 79 percent of respondents who are 55 or older said they’re more concerned about their privacy than before, while just 55 percent of those 35 or younger said the same.

What kind of information are older people most concerned about protecting? About 72 percent said their Social Security number, followed by their health information at 70 percent. By contrast, 65 percent of the younger respondents said they’re most concerned about protecting their payment account details, followed by their phone numbers at 51 percent.

However, older and younger respondents all agree on one thing, and that’s that customer information is extremely important to protect, as 50 percent of both age groups stated this. Younger respondents also said employee data is very important, while 43 percent of older respondents said consumer information comes third on the list.

How Password and Authentication Practices Differ by Country

Habits don’t just change over time. They also differ over distance. Respondents here seemed to have different concerns based on location. For example, German, French, and UK respondents said they’re most concerned about what government surveillance does to their privacy. Those in the US said they’re most concerned with how the increased use of tablets and smartphones might affect their privacy.

Additionally, people in different countries are worried about protecting different types of information. For example, US respondents said they’re most concerned about their Social Security number, health condition, payment account information, and credit history. In the UK, the main concerns are payment account details, health condition, and citizen ID. In Germany, respondents said they worry about protecting their citizen ID, payment account details, and browser settings/histories. Finally, in France, the main concerns seem to be citizen ID, payment account details, and phone number.

Some other findings include the fact that phishing attacks happen the most in the US, and that US respondents said it’s too hard to manage their personal account passwords. In addition, German respondents are the least likely to share passwords with coworkers, and they’re the most likely to require password changes on a regular basis.

Reducing Your Odds of Becoming the Next Phishing Attack Victim

As you can see, many people still use very little caution when it comes to protecting private information—despite their knowledge of or even personal experience with phishing attacks. More than half of the respondents in this report said they haven’t changed their password behaviors. But you can do better than that. You can use some tips on safeguarding your password in order to reduce your chances of being a victim.

First, know that if you’ve been phished, you need to change your password now. It doesn’t matter how strong the old password is; it’s been compromised, and keeping it will put your personal data at further risk. So first, change your password. Make sure the new one is just as strong as your last one, or even stronger. This means it should be long, with a mix of upper and lowercase letters, numbers, and special symbols.

Once you have a new strong password, make sure you never write it down or share it with others. Also, do not use the same password on several accounts. You should make a new one for each account you have. If you’re wondering how to remember all these long passwords without writing them down, the answer may be password management software that will help you keep track of several passwords.

Finally, use two-factor authentication whenever it’s available, whether it’s a hard token or a code you get via text on your phone. Fortunately, it’s becoming more common on websites, giving you peace of mind when it comes to reducing your chances of phishing attacks!

The original version of this article was first published on Inspired eLearning

Kirk Wright

VP of Marketing at inspired eLearning
Fearless marketing leader with 10 years of experience in the cloud security and compliance industry and an affinity for Waffles.