In its recently released third annual Global Password Security Report LastPass analyzed more than 47,000 businesses to share interesting and helpful insights into employee password behavior at businesses around the world. The report is free, but you will have to give up some contact information to download it.

The key takeaways are:

• Businesses still have a lot of work to do in the area of password and authentication security.

• Businesses are increasing their use of multi-factor authentication (MFA) but employees still have poor password hygiene.

• While businesses are investing in authentication security solutions, more action is needed to increase password hygiene.

A few key highlights from this year’s report:

• 57% of businesses globally have employees using MFA; up from 45% the previous year.

• 87% of companies with more than 10,000 employees are using MFA, but only 27% of companies with 25 employees or fewer are using MFA, and according to the 2019 Verizon Data Breach Investigations report, 43% of cyber-attacks are aimed at small businesses.

• Password reuse is still widespread. This puts people at risk of becoming victims of credential stuffing attacks.

• Increased regulations appear to be driving additional security awareness, especially in the EMEA region with the General Data Protection Regulation (GDPR) and in the APAC region with the Australian Notifiable Data Breaches (NDB). Both GDPR and NDB mandate the reporting of data breaches.

The report’s revelations are both positive and negative. While it only samples companies that use LastPass (arguably the type of companies likely to invest in cybersecurity) we can see that even in this sampling, there is a lot of work to do.

The report ends with some solid advice.

1. Take access security seriously.


2. Make a plan.


3. Mandate the use of a password manager.

4. Train, train and train some more.

5. Turn on multi-factor authentication.

6. Regularly check your Security Score and keep tweaking your approach. (For LastPass users)

If you are not using a password manager in your business and personal lives, you should seriously consider making that change. While I’m no expert on the human mind, I’ll go out on a limb here and say that our brains are incapable of remembering the passwords to every one of our hundreds of accounts (at least my brain can’t do that). So reduce your risk and get a password manager. I have happily used LastPass for years but there are others out there too. Here are a few articles that compare and contrast the leading password managers.

https://www.consumersadvocate.org/password-manager
https://www.pcmag.com/article2/0,2817,2407168,00.asp  
https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/  
https://lifehacker.com/5529133/five-best-password-managers  
https://www.consumerreports.org/digital-security/everything-you-need-to-know-about-password-managers/  

Once you decide on a password manager, be sure to enable MFA anywhere and everywhere you can!