Blame IT and Security, Not End Users, for Password Problems
End users don’t have the best security practices, but last year’s transition to remote work reminds us that technologists should look in the mirror before complaining too loudly.
BitWarden reported that 53% of IT decision-makers shared passwords via email, a big increase from 39% just a year earlier. Apathy about security is particularly worrying among information security professionals, 84% of whom felt burned out in Passw@rd’s State of Access 2021 report. Almost half (44%) of the InfoSec pros in that survey said security rules and policies “aren’t worth the hassle.”
Burnout causes job mobility, which becomes a bigger security problem once an employee leaves a company. Thirty percent of respondents in Teleport‘s State of Infrastructure Access and Security Report were less than 75% confident that former employees have had all their access keys revoked.
Source: Passw@rd’s State of Access 2021
Access Management, Then Passwordless, Then Zero Trust
Supplementing passwords with another authentication method helps but doesn’t address the fundamental problem that some people have centralized access to infrastructure. Seventy percent of the Teleport study still grants access to infrastructure with passwords. Although VPNs have gone out of favor, they were still used by half of that study, as were hardware security tokens. Less common were one-time email links, and short-lived, identity-based certificates.
Teleport sees certificate-based authentication as the basis of something called passwordless infrastructure. Almost half the people that don’t use short-lived certificates believe the credentialing systems in use are sufficient. Most do not believe the solutions are too complex, so uptake of corporate plans for Zero Trust may come to fruition.
Zero Trust gets a lot of buzz, and most people have it on their roadmaps. A 2021 survey of IT security pros conducted by Dimensional Research found that 51% had already begun implementing Zero Trust. The same study also reported that three-quarters believe Zero Trust to be at least very important to their organization’s security posture.
Passwordless access to infrastructure is one component of that access management. Zero Trust requires access management systems that work. Decision-makers that prioritize Zero Trust should also think practically about the blocking and tackling needed to manage the policy and access management of their existing systems.
Lawrence Hecht has been producing research reports about information technology markets for the last 18 years. Lawrence previously managed “voice of the customer” surveys for the 451 Research and TheInfoPro about enterprise IT B2B markets such as Cloud Computing, Data Analytics, and Information Security. In 1999, he created the Internet Public Policy Network (IPPN), a network of subject-matter experts that provided custom research, white papers and advice about technology-related public policy issues. Lawrence earned a Master of Public Policy from Georgetown University and a Bachelor of Arts from Rutgers University.
