Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Password Proliferation Adds Security Risk

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

At 87% of companies, employees must now remember two or more passwords to access corporate resources, while 27% organizations require their employees to remember six or more passwords. Not surprisingly, password resets account, on average, for 30% to 50% of all calls to the help desk.

Those findings come from a new study from Forrester Research which was commissioned by Symantec. The research is based on a survey of over 300 employees in large organizations.

According to Forrester, password proliferation is largely being driven by the increased adoption of Web 2.0, cloud, and software as a service (SaaS). Notably, 58% of organizations now use two or more SaaS-based business applications, and 19% use six or more. Another factor is increased employee mobility. Today, 56% of organizations officially allow employee-owned smartphones to connect to the corporate network.

But as passwords proliferate, their shortcomings can be amplified. "Password issues are the top access problem in the enterprise," according to the Forrester study. "Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive."

Furthermore, never underestimate employees' ability to subvert onerous corporate policies. "People respond by using simple password formulas or the same password for multiple applications, weakening the security benefits that drive these policies to begin with," according to the Forrester report.

In light of password proliferation -- as well as its finding that 54% of organizations experienced a data breach last year -- Forrester recommends that organizations consider alternative approaches to authentication, such as using strong authentication technology.

Today, about 60% of organizations have deployed some strong authentication internally, and 50% require, or will soon require, their business partners and suppliers to use it. Forrester said that to date, "enterprises have deployed strong authentication selectively because of the low user acceptance it engenders," due to decreased productivity, not to mention relatively high costs per user and management overhead, which contributes to costs.

But as passwords continue to proliferate, Forrester suggests that organizations take a new look at emerging strong authentication techniques, such as mobile authentication for remote users, and risk-based authentication, such as behavior profiling.