The survey of more than 150 cloud industry professionals was conducted at the recent Cloud Expo Europe event and revealed over four-fifths (83%) of cloud professionals are confident about passwords’ security effectiveness, over a third (34%) saying they are very confident. This is despite the fact that insecure password practices are regularly exploited in cyber attacks worldwide, with 80% of all breaches using compromised identities.
Asked about their experiences of using passwords, the study revealed a range of frustrations cloud professionals face with hygiene requirements for password-based systems. Over half of respondents (60%) find it frustrating to remember multiple passwords, 52% by having to regularly change their passwords, while another 52% are frustrated by the requirement to choose long passwords containing numbers and symbols.
The number of passwords used daily by cloud professionals further underlines these challenges: A quarter of respondents (26%) use 4-5 passwords, with 10% using 10 or more passwords on a daily basis. Adding to the difficulties password users face, many organisations require frequent password changes, with 38% suggesting quarterly updates, 27% monthly changes, and 6% recommending daily or weekly changes. This can be an arduous task, while amounting to minimal security benefits.
The survey also confirms the value of passwords as a target for threat actors, with phishing attacks remaining prevalent. When asked if they’ve ever received a phishing email which they’ve flagged to their security team, over a third of cloud professionals claimed they’d flagged 1-3, 18% flagged 4-6, and nearly a quarter (23%) flagged 7 or more. More worryingly, 11% have received but not flagged a phishing email and one fifth (20%) of respondents simply aren’t sure if they’ve ever accidentally clicked on a phishing link. Nearly one fifth (19%) said colleagues have clicked on a phishing email, and over a quarter admit to doing it themselves - 11% say they’ve done it more than once, and 5% said they do it regularly.
“Widespread user frustration represents a dangerous situation for organisations using password-based systems to protect their data in the face of continued phishing attacks. This survey shows an alarming displaced confidence from cloud professionals - the bottom line is you can't have effective security and advance to meet the promise of Zero Trust Security if you are still using passwords,” commented Patrick McBride, Co-founder of Beyond Identity.
Despite continued attacks targeting credentials and frustrations over password hygiene requirements, the majority of cloud professionals (74%) still believe regularly changing passwords is good cybersecurity practice. Most cloud organisations (82%) use Multi Factor Authentication (MFA) as an added layer of authentication, with the most popular MFA being a Mobile Authenticator App. When asked their opinion on MFA, the general feeling was positive, with over half (55%) claiming to be ‘very confident’ in it as a security measure. This is despite there being an alarming number of successful MFA bypass attacks over the last year, most notably the high-profile cases of Coinbase, Twilio, Reddit, Uber, and Okta.
"Passwords have been used in IT for more than 60 years, but cyber threat actors have driven them into redundancy. And now with MFA-bypass attacks on the rise, it's essential to move beyond first-generation Multi-Factor Authentication (MFA) that uses one-time-passwords and push notifications, and adopt next-generation 'phishing-resistant' MFA for a more effective defence against cyber risks,” added McBride.
Heightened awareness is needed on the distinction between good MFA and outdated MFA that still relies on passwords. The FIDO Alliance (Fast Identity Online) has developed standards to combat the acute vulnerability posed by passwords and FIDO-based solutions are now recommended at the highest levels of government.
“If you want to eliminate the risk of a breach, you need these foundational systems in place. This research highlights a critical need for cloud organisations to update their prehistoric systems and focus on passwordless authentication and phishing-resistant MFA,” concluded McBride.