HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice.

Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling.

The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals.

An analysis of data from enterprises that downloaded the Preempt Inspector tool showed that more than 7% of employees are using passwords for their work accounts that have already been compromised in previous data breaches. Preempt also reports that 20% of passwords used by enterprise employees could easily be compromised, even though many enterprises have systems in place to ensure password complexity.

Preempt reports that 1 in 14 enterprise employees have set an extremely weak password that has appeared in a previous breach, while 13.39% of enterprise users have shared their password, either with other users, teams or the password has been used for other services. Preempt says its research shows that 1 in 7 users have disclosed their password to other users within their network.

The study revealed that an average of 19.1% of enterprise users have set poor passwords, either those that have been used elsewhere, have been shared or are particularly weak. This translates to 1 in 5 enterprise users having a password that could easily be guessed by a threat actor.

The study revealed that larger organizations tend to have a better security posture and also a lower percentage of weak passwords in use. The larger the organization, the more secure their passwords are. This has been attributed to larger organizations having more resources devoted to security, with password policies likely to have been set and systems in place to enforce strong passwords. Those organizations are also likely to have more extensive education programs to raise security awareness.

The study was conducted on clients in multiple countries, with US-based organizations having approximately half the number of weak passwords that non-US companies. Preempt suggests that credential theft and cyberattacks are more extensively covered in the media in the United States, raising awareness of security and the need to take steps to prevent data breaches, such as setting strong passwords and not reusing passwords on multiple platforms.

The research shows that even though employees receive security awareness training and policies and technology are used to enforce the use of strong passwords, many employees are still taking big risks with their password choices. Many enterprises may believe they have tackled the issue of poor passwords, when the realty is likely quite different.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.