People and Passwords are still the weak link – Yubico report

Passwordless future

Yubico’s new report, ‘The 2019 State of Password and Authentication Security Behaviours’ shows passwords continue to trip up users and compromise security, let alone upgrade them to more secure multi-factor authentication.

Yubico makes YubiKey that is a physical USB key to help secure any devices and accounts with passwords. Our review says it is a no-brainer for enterprise to implement but perhaps a little complex for Joe and Jane Average – although not beyond them to do so.


Back to the Yubico report

Ponemon Institute surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France.

The purpose was to understand the beliefs and behaviours surrounding password management and authentication practices both in the workplace and at home.

The goal was to understand if these beliefs and behaviours align, and why or why not.

The conclusion is that despite the increasing concern regarding privacy and protection online and a greater understanding of the best security practices, individuals and businesses are still falling short. Both parties are in dire need of solutions that will offer both added security and convenience.

Stina Ehrensvard, CEO and Founder, Yubico, said.

“For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, this multi-country research illustrates the difficulties associated with proper password hygiene. With every new password breach that we see, it’s increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally.”


Perhaps a bit prophetic given these comments were made just before the latest release of 2.2 billion users email and passwords in Collection #2-5. (GadgetGuy article here).

All surveys can ‘prove a point’, but Ponemon does not go there. It found

  • 64% have become more concerned about the privacy and security of their personal data over the past two years. They are most concerned with Social Security number or citizen ID, payment account details and health information. The reasons:
    • 59% potential for government surveillance
    • 51% the growing use of mobile devices
    • 40% the growing use of connected IoT devices and voice control
  • 47% say their companies are most concerned about protecting customer information
  • 45% say they are most concerned about protecting employee information.

As cyber attacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing.

  • 51% had a phishing attack in their personal life
  • 44% had a phishing attack at work. While phishing attacks are frequent, 57% have not changed their password behaviours.
  • 69% admit to sharing passwords with their colleagues in the workplace to access accounts. Remember the golden rule – Only one person can keep a secret.
  • 51% reuse an average of five passwords across their business and/or personal accounts.

A username and password is the ‘norm’. What about more protection?

  • 67% do not use any form of two-factor authentication in their personal life
  • 55% do not use it at work

Ponemon says that we need new security approaches to help manage and protect private and business passwords.

Yubico points out (as you would expect) that the average person spends 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. And because managing passwords is such a chore 57% would like password-less logins to protect their identity. Enter Yubikey.