- Since the work-from-home era began last year, half of employees admitted to not changing or updating their online security habits, according to a LastPass' Psychology of Passwords report, released Wednesday. The report is based on a survey of 3,750 professionals internationally.
- Nearly half of employees (46%) have not strengthened their passwords during this time, despite 50% of respondents reporting more online accounts in 2021 than 2020, the report found.
- Only 35% of employers required employees to update their passwords regularly or enhanced authentication methods since remote work began.
People reuse similar or identical passwords because they want less to remember. And the ones who don't want to remember their passwords write them on sticky notes.
If companies adopted more digital systems, employees will have more login requirements — from device login, VPN activation and maybe a system login — making the temptation to recycle passwords irresistible.
The National Institute of Standards and Technology (NIST) lists theft, duplication, social engineering and endpoint compromise among threats to authentication. Multifactor and physical security tools can serve as resolutions, but NIST also recommends regular training for employees. Bad actors are banking on employees taking a casual approach to cybersecurity.
The majority of data breaches (85%) feature human error, such as phishing or stolen credentials, LastPass found. "We've found that there's an education gap when it comes to the importance of storing sensitive information online," said Katie Petrillo, director of product marketing for LastPass. "We also found that the presence of risk does not inherently motivate people to adopt better security."
But the complexity of a password supersedes how often an employee changes it. And for Microsoft, the safest option is eliminating passwords altogether. Last year, more than 150 million Azure Active Directory and consumer users logged into their Microsoft account without a password, the company said.
Microsoft is doubling down on a passwordless future, especially considering 40% of people use patterns in their passwords, such as "Winter2021," a Microsoft survey found.
Users can remove passwords from their Microsoft accounts using Windows Hello, the Microsoft Authenticator app, or verification codes instead, the company announced last week. Because passwords are still widespread, Microsoft has a password manager through Microsoft Edge.
The security industry is confronting the next iteration of authentication while balancing usability. "I don't believe that passwords will be going away anytime soon," said Petrillo. New opportunities, including biometric authentication, single sign-on, and federated identity will increase in use, however.