Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reveals the Threats Posed By Passwords in the Workplace (betanews.com)

Posted by msmash on from the security-woes dept.

A reader shares a BetaNews report: A new report by LastPass -- The Password Expose -- reveals the threats posed, and the opportunities presented, by employee passwords. The report starts by pointing out that while nearly everyone (91 percent) knows that it is dangerous to reuse passwords -- with 81 percent of data breaches attributable to "weak, reused, or stolen passwords," more than half (61 percent) do reuse passwords. But the real purpose of the report is to "reveal the true gap between what IT thinks, and what's really happening." Jumping straight into the number, the report says that even in a 250-employee company, there are an average of 53,250 passwords in use -- a near-impossible number to keep track of and to know the strength of. LastPass found that people have nearly 200 passwords to remember, so it's little wonder that password reuse is an issue.

3 of 72 comments (clear)

  1. Stupid Password Rules by Anonymous Coward · · Score: 5, Insightful

    When the rules are "must contain 1 lower case, 1 upper case, 1 number, 1 special character, cannot reuse any of the past 20 passwords, must change every 30 days, etc etc etc", no shit we end up picking a pattern and recycling old passwords.

  2. Re:password management company publishes report... by ctilsie242 · · Score: 3, Interesting

    It is a balancing act. One one hand, if someone uses weak (but memorable) passwords, that can be brute-forced, that is far more likely than a password manager getting compromised, especially a password manager with 2FA.

    However, selecting a password manager is critical. LastPass is one that has had security intrusions succeed... but were mitigated. Some other PW managers which have, as of their latest versions, required cloud access (1Password, mSecure) not just don't have a proven track record... but don't even give any details on what security they actually bother with. For all we know, they could stash everything on a public S3 bucket.

    I like PW managers which piggyback on existing cloud providers and have decent encryption [1], like Enpass or Codebook. That way, not all eggs are in one basket, and Google Drive provides adequate 2FA protection.

    [1]: The idea would be separating the passphrase protecting the database on the cloud provider versus the encrypted copy, or even better, using public key encryption and "introducing" new devices, to make the copy sitting on the cloud provider as brute force resistant as possible.

  3. Re:password management company publishes report... by Average · · Score: 4, Informative

    I can't recommend PasswordStore (passwordstore.org) highly enough. ~400 lines of (quite readable) Bash. GPG. Git. That's the extent of it.

    Combined with my GPG credentials being on a smartcard, I feel like I'm doing the best I can.