Those findings come from a new study from Forrester Research which was commissioned by Symantec. The research is based on a survey of over 300 employees in large organizations.
According to Forrester, password proliferation is largely being driven by the increased adoption of Web 2.0, cloud, and software as a service (SaaS). Notably, 58% of organizations now use two or more SaaS-based business applications, and 19% use six or more. Another factor is increased employee mobility. Today, 56% of organizations officially allow employee-owned smartphones to connect to the corporate network.
But as passwords proliferate, their shortcomings can be amplified. "Password issues are the top access problem in the enterprise," according to the Forrester study. "Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive."
Furthermore, never underestimate employees' ability to subvert onerous corporate policies. "People respond by using simple password formulas or the same password for multiple applications, weakening the security benefits that drive these policies to begin with," according to the Forrester report.
In light of password proliferation -- as well as its finding that 54% of organizations experienced a data breach last year -- Forrester recommends that organizations consider alternative approaches to authentication, such as using strong authentication technology.
Today, about 60% of organizations have deployed some strong authentication internally, and 50% require, or will soon require, their business partners and suppliers to use it. Forrester said that to date, "enterprises have deployed strong authentication selectively because of the low user acceptance it engenders," due to decreased productivity, not to mention relatively high costs per user and management overhead, which contributes to costs.
But as passwords continue to proliferate, Forrester suggests that organizations take a new look at emerging strong authentication techniques, such as mobile authentication for remote users, and risk-based authentication, such as behavior profiling.