Only 4% of common passwords would meet with official requirements on strength, new research from Okta has revealed.
According to the global Businesses @ Work report, the average policy set by companies in Okta requires a minimum of eight characters, at least one lowercase letter, one uppercase letter and a number, would only fit with the small percentage of passwords it surveyed from a list of publicly-exposed details. That list also showed that 49.5% used at least eight characters.
Password security specialist Per Thorsheim told Infosecurity that the majority of password breaches analyzed out there are from online services with password policies which are ‘below average’, or at least worse than common corporate best practices during the past 15 years or so.
The research also showed that 70% of Okta’s users are now using three or four factors of authentication – but this includes SMS and ‘security questions’. Thorsheim said: “Security questions are generally not recommended in online scenarios, as the answers are mostly available online or through simple social engineering.”
Asked if MFA is an answer, or whether all solutions ultimately end up with users looking for the simple solution and writing their passwords down, Thorsheim said that he felt the message on password security and strength was getting through: “but it will easily take five to 10 years before we eventually align with NIST SP800-63B - no mandatory/regular password change, no complexity requirements, password length is key to good security, no SMS for sending secrets”.
Security Culture speaker and expert Kai Roer, added: “In my opinion, (lack of) security often revolves about user friendliness. It is considered by some nice to add ‘factors’ of authentication, especially from a marketing perspective. If, however, those factors add to the complexity of using the application, many users will find themselves trying to solve these factors by other means, for example by simplifying the password, or abandoning the service.
“Their reasoning for simplifying the password may be that they feel like X-factors of authentication should be enough to protect them even with a simple password, as well as their need to remember it.”