In a related note, this story about a Quest sponsored Aberdeen study indicates that 52 percent of organizations do not require strong authentication to access sensitive data:
Quest Software, Inc. underwrote an Aberdeen Group benchmark study, “Strong User Authentication,” which shows that 52 percent of organizations require only passwords for employees to access critical data, rather than augmenting passwords with stronger forms of authentication such as hardware tokens, digital certificates or risk-based scoring. Nearly 150 organizations from a diverse set of global industries were polled for the study.
Other key findings of the Aberdeen benchmark study include:
- 88 percent of enterprise users have multiple work-related passwords, averaging between five and six
- 64 percent of organizations do not even require users to change their passwords
- 45 percent of organizations allow standard dictionary terms (like “password”)
- 29 percent of organizations have no requirements for password length
None of these stats surprise me.
Jackson Shaw of Quest is quoted in the article as well:
“With the recent, well-publicized incidents of network and identity theft, companies need to put security first and require more than just passwords for user authentication,” said Jackson Shaw, senior director, product management, Quest Software. “Helping our customers increase security and mitigate the risk associated with compromised confidential information has become a top priority at Quest. As a result, Quest offers solutions for two-factor authentication as well as single sign-on, provisioning, password management, role management, auditing and compliance reporting.”
I’m not sure what Quest product Jackson is referring to as far as provisioning. Perhaps he is referring strong authentication credential provisioning. Aside from that, it’s a very interesting article.