Most organizations recognize the dangers posed by weak passwords and have implemented policies requiring users to follow password best practices. Enforcing those policies can be a challenge, however. Faced with a mind-boggling number of passwords to remember, users tend to use the same credentials for most or all applications, or simplify passwords to the point that they’re easy to guess. Overreliance on policies alone puts organizations at risk, as a recent study from the research firm Ovum reveals.
In August 2017, Ovum surveyed 355 IT executives to determine how they are managing passwords and controlling access to on-premises and cloud-based applications. The survey also asked 550 corporate employees about their views of password management. The study found that many organizations lack visibility and control over password usage and aren’t doing enough to address the problem.
More than half of IT executives surveyed rely on employees to monitor their own password behavior, and 61 percent depend on employee education to enforce the use of strong passwords. In addition, many organizations continue to rely on manual password security processes. For example, 64 percent of IT execs said they had no technology in place to guard against unnecessary password sharing, with only 14 percent having automated control capabilities.
The study also revealed how poor password management practices affect users. Employees complained that they are required to come up with long, complex passwords and change them regularly, and struggle to meet these requirements. Almost half (44 percent) said that password management requirements negatively impact productivity. Furthermore, 76 percent said they experience regular password usage problems, and more than one-third need password-related help desk support at least once a month.
These issues come at enormous cost. According to Gartner, 20 to 50 percent of all help desk calls involve password resets, and Forrester Research estimates that each reset costs $70. On average, that includes 15 minutes of the end-user’s time and 10 minutes of the help desk technician’s time.
An identity and access management (IAM) platform can help resolve these issues. Robust IAM solutions include password management capabilities that enable global enforcement of password policies. Such solutions also have self-service tools that allow users to handle their own password resets without involving a help desk.
In addition, these systems can synchronize passwords between user directories and other systems and applications throughout the enterprise. Users have fewer passwords to remember, and changes are automatically propagated across these systems.
Going a step further, federated identity management (FIM) solutions use a secure, open format that enables the exchange of identity data with external systems. FIM streamlines identity provisioning and management across distributed resources, including cloud-based applications, and enables users to access those resources with a single credential. (Note that FIM and single sign-on are not the same thing, a topic we’ll take up in a future post.)
Password policies are only beneficial if their implementation is monitored and enforced. However, the Ovum study reveals that many organizations have password management processes that remain focused on policies rather than users. The right IAM platform can resolve these issues and protect organizations from the dangers posed by weak passwords.
For more information about Identity Management, please send us an email at (firstname.lastname@example.org).