LastPass research finds password habits still “major obstacle” to business security

LastPass by LogMeIn has issued the results of its third annual Global Password Security Report: a study that offers insights into employee password behaviours as well as emerging trends around identity and access management at businesses worldwide.

Among the key findings from this year’s report is that, while more businesses are investing in security measures like multi-factor authentication, employees still have poor password habits that weaken companies’ overall security posture. Given that stolen and re-used credentials are linked to 80% of hacking-related breaches, businesses must take more action to improve password and access security if they’re to make a big impact on risk reduction.

“Securing employee access has never been more important but, unfortunately, we see businesses ignore password security altogether or otherwise only half-heartedly attempt to address it,” said Gerald Beuchelt, CISO at LogMeIn. “This report further highlights the importance of using the identity and access management tools available to information security managers in addition to maintaining focus on employee training to improve password habits.”

Password struggle is real

Password sharing and re-use remains a common practice in most businesses, with employees re-using one password an average of 13 times. LastPass by LogMeIn’s data shows that employees at businesses with fewer than 1,000 employees re-use 10-14 passwords compared to four re-used passwords among employees at larger organisations.

An overwhelming number of passwords leads to poor password hygiene when there’s no technology in place to help. The data shows employees at larger companies have an average of 25 passwords to manage compared to 85 passwords for those at smaller organisations.

Due to greater availability of resources and awareness of regulations, larger businesses may be more likely to have single sign-on (SSO) solutions in place that enable employees to access more apps with fewer passwords. However, less than 50% of all businesses have a SSO solution that could make it easier for employees to manage passwords.

Multi-factor authentication use on the rise

More than half of businesses globally (57% of those surveyed, in fact) now have employees using multi-factor authentication. That’s up 12 percentage points from last year’s report. As multi-factor authentication options continue to improve in usability and support for a wide range of use cases, so usage increase.

Unsurprisingly, employees at larger organisations have the highest usage – 87% – which drops nearly in half (to 44%) at organisations with approximately 500-1,000 employees and less than a third (27%) at the smallest businesses surveyed.

Given the competing priorities of IT staff at smaller businesses, it’s understandable that multi-factor authentication may not be a priority. However, given the number of affordable and user-friendly options available, every business should be able to find a multi-factor authentication solution that meets their needs.

Differences between industry sectors

In terms of industry, media/advertising agency employees have the most passwords to manage (97), whereas Government employees have the least (54). It’s no surprise that employees in that media and advertising sector also have the highest rate of password re-use – 22 – compared to just nine in the non-profit and retail sectors.

No amount of password re-use is safe, but some sectors have a lot more work to do. When it comes to multi-factor authentication, industries with the most sensitive customer data, like insurance and legal, are the least likely to have employees using it (20% usage for each compared to the high of 37% in the technology and software industries). 

Password manager adoption via mobile

For the first time, this report looks at how employees use their password manager via the LastPass app on mobile devices. Globally, 23% of employees are accessing password vaults on their smart phone. That number is likely to grow as mobile platform integrations improve.

After the iOS 12 launch, for example, employees used LastPass on their mobile device 50% more frequently than prior to the launch.

Further, user retention is approximately 30% higher on average when mobile usage is incorporated into an employee’s on-boarding experience.

It’s clear that, when it’s convenient for employees to access and use password managers from their smart phone or other device of their choice, they’re more likely to do so.

Increased international regulation

As global threats rise, and concerns grow about the privacy of personal information, Governments and industries alike are enacting more regulations, directives and guidelines in order to help protect the digital economy.

The EU’s General Data Protection Regulation may contribute to significant growth in the adoption of multi-factor authentication in countries like Denmark (46%), the Netherlands (41%), Switzerland (38%) and Germany (32%).

*For more information and to read the report in full visit

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts