Password Proliferation Adds Security Risk

Employees must remember six or more passwords at 27% of organizations, resulting in security-compromising behavior and increased burden on help desks, warns Forrester Research.

Mathew Schwartz

January 13, 2011

2 Min Read
Network Computing logo

Top 10 Security Stories Of 2010

Top 10 Security Stories Of 2010

(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

At 87% of companies, employees must now remember two or more passwords to access corporate resources, while 27% organizations require their employees to remember six or more passwords. Not surprisingly, password resets account, on average, for 30% to 50% of all calls to the help desk.

Those findings come from a new study from Forrester Research which was commissioned by Symantec. The research is based on a survey of over 300 employees in large organizations.

According to Forrester, password proliferation is largely being driven by the increased adoption of Web 2.0, cloud, and software as a service (SaaS). Notably, 58% of organizations now use two or more SaaS-based business applications, and 19% use six or more. Another factor is increased employee mobility. Today, 56% of organizations officially allow employee-owned smartphones to connect to the corporate network.

But as passwords proliferate, their shortcomings can be amplified. "Password issues are the top access problem in the enterprise," according to the Forrester study. "Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive."

Furthermore, never underestimate employees' ability to subvert onerous corporate policies. "People respond by using simple password formulas or the same password for multiple applications, weakening the security benefits that drive these policies to begin with," according to the Forrester report.

In light of password proliferation -- as well as its finding that 54% of organizations experienced a data breach last year -- Forrester recommends that organizations consider alternative approaches to authentication, such as using strong authentication technology.

Today, about 60% of organizations have deployed some strong authentication internally, and 50% require, or will soon require, their business partners and suppliers to use it. Forrester said that to date, "enterprises have deployed strong authentication selectively because of the low user acceptance it engenders," due to decreased productivity, not to mention relatively high costs per user and management overhead, which contributes to costs.

But as passwords continue to proliferate, Forrester suggests that organizations take a new look at emerging strong authentication techniques, such as mobile authentication for remote users, and risk-based authentication, such as behavior profiling.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights