Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Password grades are improving, but the C-level grades aren’t ready for refrigerator display just yet.
A recent survey from credential manager Dashlane found that end-users are getting in better digital shape and improving their password health—a climbing figure that in 2024 includes more frequent use of lengthier passwords and less frequent use of recycled ones. The improvement, however, is slight, a pro at the company warned IT Brew.
“We’re going in the right direction: in terms of progress, of credential hygiene in the organization, but it’s very slow progress,” Dashlane CTO Frédéric Rivain said.
The password health score—a Dashlane-developed algorithm factoring in a user’s weak, reused, similar, and compromised passwords—has improved globally, according to the company’s 2024 Global Password Health Score report.
- The scores improved between 2% and 4% in all regions.“This is due to the continued decrease in reused and compromised passwords globally,” the Dashlane report read.
- North America had the lowest security score of any region (72.6 out of 100), but still improved from 2023’s number: 70.9.
- All scores are still in the “needs improvement” range, according to the password-management vendor. While the report shared an overall decrease in compromised passwords, the study also revealed that the average global user still has between 40–50% reused passwords.
According to IBM’s Cost of a Data Breach report, released in July, the average cost of an intrusion involving compromised credentials was $4.81 million. Breaches involving stolen credentials took the longest to identify and contain out of any attack vector, at 292 days.
Cybercrime analytics provider SpyCloud, in its 2024 identity exposure report, released in March, found a 74% reuse rate “for users exposed in two or more breaches in the last year, an uptick from the previous year’s 72%.”
The National Institute of Standards and Technology (NIST)’s August 28 guidelines recommend that verifiers shall not impose composition rules, like requiring a mix of different character types. Also: authenticators shall require a minimum of eight character passwords and should require passwords of at least 15 characters.
Rivain sees character-generating password managers helping to enforce mandates like strong, long passwords. “Don’t let your users manage the passwords and let the machine do it,” he advised.
A report from the National Cybersecurity Alliance, released last month, found that 65% percent of about 7,000 global respondents reported using a separate password either “all of the time” or “a majority of the time.”
Under half (46%) of those surveyed had never used a password manager—a 10% improvement from last year.
Lisa Plaggemier, executive director at the NCA, prefers authentication methods like multi-factor authentication and “zero trust” infrastructure, she told IT Brew, which consultancy Forrester defines as “an information security model that denies access to applications and data by default.”
Passwords, Plaggemier suggested, may be the unhealthy choice.
“If you look at what they’re meant to do, they’re woefully inadequate.”