LastPass report reveals bigger companies have poorer passwords

2 Oct 2018

© bramgino/

An in-depth report from password management player LastPass analysed anonymised data from more than 43,000 companies all over the globe.

Passwords are a major aspect of any organisation’s security strategy, but it’s clear that there are still some enterprises straggling behind the curve.

LastPass released the first annual 2018 Global Password Security Report on 1 October and the extensive findings show there is still a lot of work to be done by the business IT community. While businesses are making progress, the report shows that the average password security score of organisations is still only 52 out of 100.

Frank Dickson, vice-president of research at IDC, explained why password hygiene is so crucial. “Security professionals often fail to consider the value of the first factor of enterprise authentication: the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up.”

Bigger firms, worse passwords

The larger the firm, the less solid password security is, according to LastPass. Organisations with fewer than 25 employees had the highest average security score of 50 out of 100, and this average drops as the company size grows. In larger organisations, more employees means more apps to vet, more passwords and more challenges in general for beleaguered IT teams.

According to the report, the highest average password security score is in the technology industry, at 53 out of 100. Notably, heavily regulated industries such as banking, insurance health and government are not achieving comparable scores. Insurance passwords rank at 47 out of 100, while health, banking and government password hygiene scored 49.

The research noted that within the first year of using a password management tool, a business gains nearly 15 security points.

Multifactor authentication on the up

While concerns about password security grow, multifactor authentication (MFA) is increasingly popular. 45pc of the businesses surveyed are using some form of MFA, a major increase from 2017’s 24.5pc. The tech industry is leading the pack, with 31pc adopting MFA. In government, only 2pc are using MFA, while health and insurance are not much higher, at just 3pc.

The problem of password sharing is still rampant, with any given employee sharing six passwords with co-workers on average. This is a concern as teams become more distributed and dependence on technological tools continues to grow.

“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, chief information security officer at LogMeIn, LastPass’ parent company.

He added: “This report offers fellow information security managers a tool to compare their own company’s password scores with a large sample of peers and competitors. In turn, security departments are now better equipped to identify the gaps in their security programme and measure progress when investing in password security.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects