Passwords the bane of enterprise security

The death of the password has been a long time coming but sadly the authentication mechanism lingers like the smell of weeks old Chinese food forgotten in the back of the refrigerator.

Forrester Research is releasing a series of reports that will help security and risk professionals to compare employee password policies against a range of other organizations and assess emerging trends that enterprises are considering to reduce the cost of managing passwords.

The reports will draw from a 2015 quantitative survey of 70+ large organizations around employee password policies and authentication. Each report in the series will examine current aspects of password management, including: Password management — complexity, length, frequency of changes, and application specific policies; Planning — best practices, risk assessment, and financial impact; Predictions — future plans and strategies to reduce and/or eliminate password usage.

As much as security and risk professionals want passwords to go the way of the dodo, it hasn’t happened yet and won’t be happening anytime soon. Forrester illustrated a particularly frustrating password reset use case at a U.S. university with 300,000 users.

In the 2014 calendar year, university users conducted an average of 7,969 password resets per month. With those, 25% called the help desk to reset their password manually, while 75% were able to eventually reset their passwords using other self-service methods such as email or knowledge-based questions like birthplace or mother’s maiden name. Every month, the help desk fields an average of 890 calls just to reset passwords.

Passwords: the good, the bad and the ugly

The good: A majority of firms have a set of password policies regarding password length, number of special characters and frequency of required password change

The bad: Password issues continue to sap resources from employees and the technology management teams. The Forrester survey states that users contact the help desk about 28 times annually for password issues. Respondents also reported that the average cost of resolving a password issue was $31 and that approximately 20% of all help desk calls were password-related, which means it costs technology management upward of $179 per user per year to deal with password-related issues.

The ugly: Enterprises are using the same password policies for on-premise and cloud-based applications. The growth in use of cloud services has increased but it has also increased potential security risks. Even though firms are aware of the risks, the survey data indicates that enterprises have not implemented stronger password policies for cloud applications.

A copy of the report can be downloaded here.