Government // Mobile & Wireless
10:18 AM
Connect Directly
Repost This

Password Proliferation Adds Security Risk

Employees must remember six or more passwords at 27% of organizations, resulting in security-compromising behavior and increased burden on help desks, warns Forrester Research.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
At 87% of companies, employees must now remember two or more passwords to access corporate resources, while 27% organizations require their employees to remember six or more passwords. Not surprisingly, password resets account, on average, for 30% to 50% of all calls to the help desk.

Those findings come from a new study from Forrester Research which was commissioned by Symantec. The research is based on a survey of over 300 employees in large organizations.

According to Forrester, password proliferation is largely being driven by the increased adoption of Web 2.0, cloud, and software as a service (SaaS). Notably, 58% of organizations now use two or more SaaS-based business applications, and 19% use six or more. Another factor is increased employee mobility. Today, 56% of organizations officially allow employee-owned smartphones to connect to the corporate network.

But as passwords proliferate, their shortcomings can be amplified. "Password issues are the top access problem in the enterprise," according to the Forrester study. "Policies on password composition, expiration, and lockout that are put in place to mitigate risk have become a major burden to users, impeding their ability to be productive."

Furthermore, never underestimate employees' ability to subvert onerous corporate policies. "People respond by using simple password formulas or the same password for multiple applications, weakening the security benefits that drive these policies to begin with," according to the Forrester report.

In light of password proliferation -- as well as its finding that 54% of organizations experienced a data breach last year -- Forrester recommends that organizations consider alternative approaches to authentication, such as using strong authentication technology.

Today, about 60% of organizations have deployed some strong authentication internally, and 50% require, or will soon require, their business partners and suppliers to use it. Forrester said that to date, "enterprises have deployed strong authentication selectively because of the low user acceptance it engenders," due to decreased productivity, not to mention relatively high costs per user and management overhead, which contributes to costs.

But as passwords continue to proliferate, Forrester suggests that organizations take a new look at emerging strong authentication techniques, such as mobile authentication for remote users, and risk-based authentication, such as behavior profiling.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.