Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 16, Call in at 12:55 p.m. Eastern time WEBINAR Passwords: The Good, The Bad, And The Ugly Merritt Maxim, Senior Analyst.

Published byRussell Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "July 16, Call in at 12:55 p.m. Eastern time WEBINAR Passwords: The Good, The Bad, And The Ugly Merritt Maxim, Senior Analyst."— Presentation transcript:

1

2 July 16, 2015. Call in at 12:55 p.m. Eastern time WEBINAR Passwords: The Good, The Bad, And The Ugly Merritt Maxim, Senior Analyst

3 © 2015 Forrester Research, Inc. Reproduction Prohibited3 We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

4 © 2015 Forrester Research, Inc. Reproduction Prohibited4 Webinar abstract › To paraphrase the great humorist Mark Twain, rumors of the death of passwords have been greatly exaggerated. While people lament the challenges and problems posed by passwords, they remain a core authentication and security technology. › This spring, Forrester completed a quantitative end-user survey to gauge organizations’ current password policies and usage, including their current challenges. The survey also provided perspectives on the future of passwords and how other technologies might replace passwords completely. › In this webinar, Forrester security and risk analyst Merritt Maxim reviews the survey’s key findings and offers practical guidance and recommendations for password management that security and risk professionals can utilize to keep administrative costs and risks in check.

5 © 2015 Forrester Research, Inc. Reproduction Prohibited5 Webinar abstract (cont.) › Key takeaways: Gain perspective on key password trends and how they apply to your own organization. Learn how to plan an appropriate security strategy for your own organization to address these trends.

6 © 2015 Forrester Research, Inc. Reproduction Prohibited6 Agenda › Background › Key takeaways › Passwords: the good › Passwords: the bad › Passwords: the ugly › Recommendations › Q&A

7 © 2015 Forrester Research, Inc. Reproduction Prohibited7 As long as there are passwords, there will be breaches

8 © 2015 Forrester Research, Inc. Reproduction Prohibited8 Train control center passwords revealed on BBC TV

9 © 2015 Forrester Research, Inc. Reproduction Prohibited9 Are passwords dead? What’s next? What’s the problem with passwords? › Passwords seem cheap, but they are: Fatigued. Shoulder-surfed. Decryptable. Breached.

10 © 2015 Forrester Research, Inc. Reproduction Prohibited10 Passwords affect user experience 1.Get email notification that your password was breached. 2.Reset to a more complex password. 3.Use the password. 4.Hackers compromise the website. 5.Hackers steal passwords. 6.Go to No. 1.

11 © 2015 Forrester Research, Inc. Reproduction Prohibited11 Operational efficiency Asset security Customer satisfaction Authentication is a difficult balance

12 © 2015 Forrester Research, Inc. Reproduction Prohibited12 Key takeaways: Forrester Employee Password Survey › Employers have converged on a common password structure. › Passwords are still a major internal cost and drain on employee productivity. › Single enterprisewide password policies are elusive. › Cloud security concerns are not influencing password policies.

13 © 2015 Forrester Research, Inc. Reproduction Prohibited13 Passwords: the good

14 © 2015 Forrester Research, Inc. Reproduction Prohibited14 Source: Forrester Password Usage And Trends Survey, 2015 Organizations have aligned on common password anatomy for employees

15 © 2015 Forrester Research, Inc. Reproduction Prohibited15 Organizations have standard policies for employee password length and format Source: Forrester Password Usage And Trends Survey, 2015

16 © 2015 Forrester Research, Inc. Reproduction Prohibited16 Organizations are using two-factor authentication (2FA) Source: Forrester Password Usage And Trends Survey, 2015

17 © 2015 Forrester Research, Inc. Reproduction Prohibited17 Employers are leveraging employee- specific data for account lockouts Source: Forrester Password Usage And Trends Survey, 2015

18 © 2015 Forrester Research, Inc. Reproduction Prohibited18 “Do you conduct social engineering experiments to test users’ security awareness and willingness to disclose passwords, including required annual security policy and password education training?” Employers are raising awareness about password issues Source: Forrester Password Usage And Trends Survey, 2015

19 © 2015 Forrester Research, Inc. Reproduction Prohibited19 Passwords: the bad

20 © 2015 Forrester Research, Inc. Reproduction Prohibited20 Organizations have many different password policies Source: Forrester Password Usage And Trends Survey, 2015

21 © 2015 Forrester Research, Inc. Reproduction Prohibited21 Password resets cost approximately $168 per employee per year Source: Forrester Password Usage And Trends Survey, 2015

22 © 2015 Forrester Research, Inc. Reproduction Prohibited22 Passwords: the ugly

23 © 2015 Forrester Research, Inc. Reproduction Prohibited23 Concerns about cloud security have not influenced SaaS passwords Source: Forrester Password Usage And Trends Survey, 2015

24 © 2015 Forrester Research, Inc. Reproduction Prohibited24 Contractors and nonemployees have the same password policies as employees Source: Forrester Password Usage And Trends Survey, 2015

25 © 2015 Forrester Research, Inc. Reproduction Prohibited25 “Do you allow exceptions to your official password policy?” Source: Forrester Password Usage And Trends Survey, 2015 Password policies often require exceptions

26 © 2015 Forrester Research, Inc. Reproduction Prohibited26 300,000-plus accounts 7,900-plus users/month doing password resets* 52% reset via self- service. 48% cannot reset. 25% call help desk. 75% reset via KBA. Real-world sample of password resets LARGE US PUBLIC UNIVERSITY *Organization does not have a formal password expiration policy.

27 © 2015 Forrester Research, Inc. Reproduction Prohibited27 *Taken from Research at Google Other password issues › Knowledge-based authentication (KBA) for resetting is imperfect and a threat vector. Google survey: 37% of respondents admitted to providing fake answers.* 40% of users were unable to recall their answers as part of the account recovery process. “IRS Get Transcript Breach” Spring 2015 ›Hackers have successfully completed verification questions to file bogus tax returns.

28 © 2015 Forrester Research, Inc. Reproduction Prohibited28 Forrester’s recommendations › Risk assessments should drive password policies. › Implement stronger passwords for nonemployees. › Deploy IAM solutions to alleviate password costs and realize a compelling ROI. › Apply lessons from consumer passwords to improve the employee experience. › Implement an official password exceptions management process.

29 © 2015 Forrester Research, Inc. Reproduction Prohibited29 Passwords are still here: what to do about it › Embrace password co-existence for the next three or more years. › Strive for password replacement via SAML and two-factor authentication. SAML for Web and SaaS apps reduces password usage and simplifies user experience. Two-factor authentication is a viable alternative for replacing passwords to select systems with a wide range of form factors available (e.g., smartphone, desktop, and standalone token). A large and vibrant vendor ecosystem exists to provide SAML SSO and 2FA solutions. › Strategize about a password-free future now.

30 © 2015 Forrester Research, Inc. Reproduction Prohibited30 What about biometrics? › Cons: Enrollment process Not entirely deterministic Server-side database needs to be encrypted. › Pros: Solves the out-of-band problem Mobile devices’ camera and microphone are a given. In combination with one another and context, they can replace passwords. Server- and client-side are both viable.

31 © 2015 Forrester Research, Inc. Reproduction Prohibited31 › “The Forrester Wave™: B2E Cloud IAM, Q2 2015” “The Forrester Wave™: B2E Cloud IAM, Q2 2015” › “Top 11 Trends S&R Pros Should Watch: 2015” “Top 11 Trends S&R Pros Should Watch: 2015” › Upcoming “The State Of Employee Passwords: The Good, The Bad, And The Ugly, Part 1” › Upcoming “The State Of Employee Passwords: The Good, The Bad, And The Ugly, Part 2” Selected Forrester Research

32 © 2015 Forrester Research, Inc. Reproduction Prohibited32 › “Develop Identity And Access Management Metrics For Employee And Customer Processes” “Develop Identity And Access Management Metrics For Employee And Customer Processes” › “Know Your Adversary” “Know Your Adversary” › “Quick Take: Fifteen Lessons For Security & Risk Pros From The IRS Get Transcript Breach” “Quick Take: Fifteen Lessons For Security & Risk Pros From The IRS Get Transcript Breach” Selected Forrester Research (cont.)

33 © 2015 Forrester Research, Inc. Reproduction Prohibited33 Stephanie Balaouras Vice President, Research Director Christopher McClean Vice President, Research Director Andras Cser Vice President, Principal Analyst Nick Hayes Analyst Rick Holland Principal Analyst Merritt Maxim Senior Analyst Security and risk analyst team

34 © 2015 Forrester Research, Inc. Reproduction Prohibited34 John Kindervag Vice President, Principal Analyst Martin Whitworth Senior Analyst Renee Murphy Senior Analyst Heidi Shey Analyst Tyler Shields Principal Analyst Chris Sherman Analyst Security and risk analyst team (cont.)

35 Thank you forrester.com Merritt Maxim mmaxim@forrester.com Twitter: @merrittmaxim

Download ppt "July 16, Call in at 12:55 p.m. Eastern time WEBINAR Passwords: The Good, The Bad, And The Ugly Merritt Maxim, Senior Analyst."

Similar presentations

© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 www.secureauth.com.

© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5,
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
©2011 Quest Software, Inc. All rights reserved.. Database Management Martin Rapetti Business Development Manager.

©2011 Quest Software, Inc. All rights reserved.. Database Management Martin Rapetti Business Development Manager.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
Hosted by: June 23-26, 2003 New York City www.biometritechexpo.com The Cost Justification for Choosing Biometrics Roy Lopez System Engineering Director.

Hosted by: June 23-26, 2003 New York City The Cost Justification for Choosing Biometrics Roy Lopez System Engineering Director.
Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.

Active Directory Production Pilot Project Department of Administration Enterprise Technology Services (ETS) ETS is a customer based team that provides.
Empower Enterprise Mobility. of employees use personal devices for work purposes.* of employees that typically work on employer premises, also frequently.

Empower Enterprise Mobility. of employees use personal devices for work purposes.* of employees that typically work on employer premises, also frequently.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Managing BYOD Legal IT’s Next Great Challenge. Agenda  The BYOD Trend – benefits and risks  Best practices for managing mobile device usage  Overview.

Managing BYOD Legal IT’s Next Great Challenge. Agenda  The BYOD Trend – benefits and risks  Best practices for managing mobile device usage  Overview.
Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.
Treasury in the Cloud Bob Stark – Vice President, Strategy September 17, 2014.

Treasury in the Cloud Bob Stark – Vice President, Strategy September 17, 2014.
Agenda Do You Need to Be Concerned? Information Risk at Nationwide

Agenda Do You Need to Be Concerned? Information Risk at Nationwide
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Application Lifecycle Management : Leveraging the Cognos Investment Prepared for Cognos User Conference January 20, 2005.

Application Lifecycle Management : Leveraging the Cognos Investment Prepared for Cognos User Conference January 20, 2005.
BARRY JINKS President & CEO March 22, 2011 President & CEO March 22, 2011.

BARRY JINKS President & CEO March 22, 2011 President & CEO March 22, 2011.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.

0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Similar presentations

Ads by Google