Cloud professionals remain “overly attached” to passwords

Cloud pros remain overwhelmingly confident in passwords, according to new research

Posted 10 May 2023 by Christine Horton

Most cloud professionals remain overly attached to the use of passwords despite their security vulnerabilities, according to new research.

The survey of more than 150 cloud industry professionals was conducted at the recent Cloud Expo Europe event by Beyond Identity.

Eighty-three percent of cloud pros are confident about passwords’ security effectiveness, and more than a third (34 percent) said they are very confident. However, Beyond Identity pointed to stats that show that insecure password practices are regularly exploited in cyberattacks worldwide, with 80 percent of all breaches using compromised identities.

Asked about their experiences of using passwords, the study revealed a range of frustrations cloud pros face. More than half of respondents (60 percent) find it frustrating to remember multiple passwords, 52 percent by having to regularly change their passwords, while another 52 percent are frustrated by the requirement to choose long passwords containing numbers and symbols.

The number of passwords used daily by cloud pros further underlines these challenges, said the firm. A quarter of respondents (26 percent) use 4-5 passwords, with 10 percent using 10 or more passwords on a daily basis. Many organisations require frequent password changes, with 38 percent suggesting quarterly updates, 27 percent monthly changes, and six percent recommending daily or weekly changes. This can be an arduous task, while amounting to minimal security benefits. 

Phishing attacks

The survey also confirms the value of passwords as a target for threat actors, with phishing attacks remaining prevalent. When asked if they’ve ever received a phishing email which they’ve flagged to their security team, over a third of cloud pros claimed they’d flagged 1-3, 18 percent flagged 4-6, and nearly a quarter (23 percent) flagged 7 or more.

Additionally, 11 percent have received but not flagged a phishing email and one fifth (20 percent) of respondents simply aren’t sure if they’ve ever accidentally clicked on a phishing link. Nearly one fifth (19 percent) said colleagues have clicked on a phishing email, and over a quarter admit to doing it themselves – 11 percent say they’ve done it more than once, and five percent said they do it regularly.

“Widespread user frustration represents a dangerous situation for organisations using password-based systems to protect their data in the face of continued phishing attacks. This survey shows an alarming, displaced confidence from cloud pros – the bottom line is you can’t have effective security and advance to meet the promise of Zero Trust Security if you are still using passwords,” said Patrick McBride, co-founder of Beyond Identity. 

Despite attacks targeting credentials and frustrations over password hygiene requirements, most cloud pros (74 percent) still believe regularly changing passwords is good cybersecurity practice. Most cloud organisations (82 percent) use Multi Factor Authentication (MFA) as an added layer of authentication, with the most popular MFA being a Mobile Authenticator App. When asked their opinion on MFA, the general feeling was positive, with more than half (55 percent) claiming to be ‘very confident’ in it as a security measure. This is despite there being an alarming number of successful MFA bypass attacks over the last year, most notably the high-profile cases of Coinbase, Twilio, Reddit, Uber, and Okta. 

“Passwords have been used in IT for more than 60 years, but cyber threat actors have driven them into redundancy,” said McBride. “And now with MFA-bypass attacks on the rise, it’s essential to move beyond first-generation multi-factor authentication (MFA) that uses one-time-passwords and push notifications, and adopt next-generation ‘phishing-resistant’ MFA for a more effective defence against cyber risks.”