Cybersecurity Typography
A study found one-in-five enterprise passwords can be compromised easily. typographyimages/Pixabay

Researchers found enterprise environments, where user accounts often have access to sensitive and proprietary information, are often insecure and nearly 20 percent can be compromised easily.

The findings stem from a study conducted by authentication company Preempt, which used data collected from 220 organizations that use the Preempt Inspector application, which assesses an organization's password health.

Read: Is My Password Secure? NIST Advises Against Periodically Changing Passwords

In addition to one in five passwords being vulnerable, more than 7 percent of all users are actively using a password that has appeared in a previous data leak. This means without any guesswork or attempts to crack an account, an attacker could log into a person’s account using the leaked credentials.

Reusing passwords are associated with accounts involved in leaks also can lead to easy breaches. If a user’s email or name is in a breach and that information can be tied to another one of their accounts that shares the same password, that account can also be hacked despite not directly being involved in the leak.

Adding to the likelihood an account is compromised is the practice of password sharing. Preempt’s data found nearly 15 percent of users in enterprise environments share passwords with colleagues. While the practice may provide convenience when logging into services, it also increases the risk that a password is compromised.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

Unsurprisingly, Preempt found organizations with a high percentage of shared passwords also see an increased rate of compromised passwords.

Read: World Password Day: How To Create A Secure Password

While all organizations can fall victim to weak passwords, large organizations tend to have better security practices than smaller ones. This is likely because larger organizations have a dedicated information technology team that can set stricter password requirements and make sure other members of the organization are abiding by those standards.

Organizations based in the United States tended to be less likely to suffer from password compromises. The country had half as many instances of weak passwords compared to the rest of the world. Preempt theorizes this is because awareness of credential theft is much higher in the U.S.

In recent years, the common practices for ensuring password security have changed. Last month, the National Institute of Standards and Technology (NIST) changed its recommendation for periodically changing passwords as a way to increase security.

The government body, which sets the security standards and best practices adopted by many private sector entities including enterprise organizations, advised against requiring password changes unless there is evidence a password has been compromised because requiring rotating credentials often leads to users creating less secure passwords.

NIST also suggested encouraging the use of passphrases — longer passwords that utilize several words — in favor of passwords that often use characters that are difficult to commit to memory. The longer phrases prove more difficult to crack for attackers and easier to remember for users.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.