Today marks the start of National Cybersecurity Awareness Month (NCSAM), and LastPass by LogMeIn has released the 2018 Global Password Security Report to align with the efforts of NCSAM. While businesses have reportedly made progress with passwords, they still have a long way to go toward strengthening password security. Today’s report is an effort to continue to raise awareness about the risks of dangerous password behavior.

Analying anonymized data from more than 43,000 companies of all sizes that are using LastPass as their business password manager, the report graded businesses, awarding a password security score on a scale of 0–100. The average password security score of organizations was 52. Organizations with fewer than 25 employees averaged 50, while technology companies scored averaged 53 points, in part because 31% of businesses in the technology sector have adopted multifactor authentication.

“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, CISO at LogMeIn in a press release.

Given that an increased number of end users poses a higher risk, it makes sense that the bigger the company, the lower the score. However, when looking at the organizations included in the survey, those who were within the first year of using a password management tool saw an increase of nearly 15 points in their password security score. Yet the data revealed that the practice of password sharing still prevails, with a single employee sharing, on average, six passwords with co-workers.

“Security professionals often fail to consider the value of the first factor of enterprise authentication: the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up,” said Frank Dickson, research vice president, security products at IDC.

The report highlights two benchmarks for evaluating password security: the LastPass Security Score and the LastPass Password Strength Score. The LastPass Security Score incorporates the Password Strength Score and assessed whether passwords were vulnerable based on a variety of indicators, including whether they were duplicated. Additional security settings, such a multifactor authentication, were also considered in the overall score.