Study: Cloud professionals remain attached to passwords

Security company Beyond Identity has released the findings of new industry research into password security vulnerabilities, showing that cloud professionals remain attached to password security.

The survey of more than 150 cloud industry professionals was conducted at the recent Cloud Expo Europe event and revealed over four-fifths (83%) of cloud professionals are confident about passwords’ security effectiveness, with over a third (34%) saying they are very confident. This is despite the fact that insecure password practices are regularly exploited in cyber attacks worldwide, with 80% of all breaches using compromised identities.

Asked about their experiences of using passwords, the study revealed a range of frustrations cloud professionals face with hygiene requirements for password-based systems. Over half of the respondents (60%) said they find it frustrating to remember multiple passwords, 52% by having to regularly change their passwords, while another 52% are frustrated by the requirement to choose long passwords containing numbers and symbols.

The number of passwords used daily by cloud professionals further underlines these challenges: A quarter of respondents (26%) use 4-5 passwords, with 10% using 10 or more passwords on a daily basis. Adding to the difficulties password users face, many organisations require frequent password changes, with 38% suggesting quarterly updates, 27% monthly changes, and 6% recommending daily or weekly changes. This can be an arduous task, while amounting to minimal security benefits. 

“Widespread user frustration represents a dangerous situation for organisations using password-based systems to protect their data in the face of continued phishing attacks,” commented Patrick McBride, Beyond Identity’s Chief Marketing Officer. “This survey shows an alarming displaced confidence from cloud professionals - the bottom line is you can't have effective security and advance to meet the promise of Zero Trust Security if you are still using passwords.”

Confidence in MFA

Despite continued attacks targeting credentials and frustrations over password hygiene requirements, the majority of cloud professionals (74%) still believe regularly changing passwords is good cybersecurity practice. Most cloud organisations (82%) use Multi Factor Authentication (MFA) as an added layer of authentication, with the most popular MFA being a Mobile Authenticator App. When asked their opinion on MFA, the general feeling was positive, with over half (55%) claiming to be ‘very confident’ in it as a security measure. This is despite there being an alarming number of successful MFA bypass attacks over the last year, most notably the high-profile cases of Coinbase, Twilio, Reddit, Uber, and Okta. 

"Passwords have been used in IT for more than 60 years, but cyber threat actors have driven them into redundancy. And now with MFA-bypass attacks on the rise, it's essential to move beyond first-generation Multi-Factor Authentication (MFA) that uses one-time-passwords and push notifications, and adopt next-generation 'phishing-resistant' MFA for a more effective defence against cyber risks,” added McBride. 

Heightened awareness is needed on the distinction between good MFA and outdated MFA that still relies on passwords. The FIDO Alliance (Fast Identity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government. 

“If you want to eliminate the risk of a breach, you need these foundational systems in place. This research highlights a critical need for cloud organisations to update their prehistoric systems and focus on passwordless authentication and phishing-resistant MFA,” concluded McBride.

Beyond Identity CEO: Passwords ‘the root of all evil’

Earlier this year Beyond Identity CEO Tom ‘TJ’ Jermoluk spoke with Technology Magazine about the founding of the company and why passwordless is the next big thing for cyber.

“Passwords are the root of all evil, the cause of all our cybersecurity problems and threats today,” he said. “Trust in corporate networks has never been more important and passwordless authentication is a giant step forward for the industry.”