The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Passwordless Authentication Adoption Increases but Poor Password Practices Persist

A recent survey of IT decision makers has provided insights on password management practices and has confirmed the increasing adoption of passwordless authentication. This is the third year that the password manager provider, Bitwarden, has conducted its Password Decisions Survey, which this year was conducted by Propeller Insights on 400 America IT decision makers and 2,000 Internet users and revealed their password habits, and attitudes to password security and passwordless authentication technologies.

The survey confirmed that little has changed over the past 12 months, with poor password practices proving difficult to eliminate. Password manager use declined slightly year-over-year, with 84% of IT decision makers saying they use password management software at work, down from 84% in 2022, but up from 77% in 2021. The slight decline may be in part due to a significant data breach at LastPass in 2022. While the password manager was not breached, hackers gained access to an encrypted backup copy of the password vaults of an unspecified number of users.

Despite this, password managers are still widely thought to improve password security and the survey indicates there is considerable demand from employees for password managers, with 79% of Internet users saying they would like their employer to provide one. While 84% of respondents said they use a password manager at work, poor password practices are still common, with 54% of respondents admitting to saving their passwords in a document on their computer (53% in 2022), 45% relying on memory for passwords (42% in 2022), and 29% writing their passwords down (unchanged). 22% of employees claim they have been reusing the same password for more than a decade.

While 66% of IT decision makers said they share passwords securely via a password manager, a significant percentage use less secure methods such as email (41%), shared online documents (38%), chat and messaging apps (30%), verbal disclosures (27%), and written notes (22%). Worryingly, 90% of IT decision makers admitted to reusing passwords in the workplace, down slightly from 92% in 2022. Out of the respondents that do reuse passwords, the extent to which passwords are reused is reducing. 11% reuse passwords on 15+ sites (15% in 2022), 24% use the same password on 10-15 sites (27% in 2022), 36% reuse passwords on 5-10 sites (33% in 2022), and 19% use the same password on 1-5 sites (16% in 2022).

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

2-factor authentication can significantly improve security and adoption is growing, with 92% of respondents saying they use it in the workplace, up from 88% in 2022. The most common reasons for not implementing 2-FA are believed to be a failure to understand the benefits, a belief that passwords alone provide good enough protection, account hacking is unlikely, and the negative effect the additional authentication on workflows.

Despite the risks of using unauthorized software and hardware (shadow IT), 32% of IT decision makers admitted to using unauthorized devices and software as did 49% of employees. The majority of people who admitted to using shadow IT (73%) said they did so because it helps them work more efficiently. 52% said they still used unauthorized software or hardware when they were unable to get authorization to use it, and 50% just went ahead because of the slow response times for authorization from the IT department.

The increasing cost of data breaches and the rate that they are occurring has prompted organizations to seek cyber insurance. 75% of surveyed IT decision makers said they have cyber insurance policies, but insurers are demanding proof of security measures before they agree to provide insurance policies. 65% of IT decision makers said they had to demonstrate they provided security awareness training to employees, had multifactor authentication (64%), used a password manager (61%), had an incident response plan (50%), had adequate data backup processes (48%), and demonstrate they were patching regularly (28%). Only 3% of organizations were not required to provide any proof that these measures were in place.

Concern about password security and the number of password-related data breaches are driving the adoption of passwordless technology such as biometrics, passkeys, and security keys. 41% of respondents believe passwordless authentication provides better security, 24% say it improves the user experience, 17% say it reduces the burden on the IT department, and 19% believe it improves productivity. 57% of U.S. respondents said they were excited about passwordless technology, with 49% saying they have either deployed the technology or are planning to, although out of those that have started to adopt passwordless authentication, 87% have yet to roll it out across the entire organization. Out of the organizations that have adopted the technology, 51% use biometrics, facial recognition, fingerprint, or voiceprints, and 31% use a physical item such as a security key or FIDO auth.

One of the major reasons for reluctance to use passwordless technology such as fingerprints, voice prints, and face IDs is fear that it would be used against them, which was a concern for 36% of respondents that have yet to adopt the technology. 55% of respondents said they prefer to rely on memory for passwords, even though people that rely on memory tend to create much weaker passwords. Remembering passwords also leads to productivity losses. 58% of respondents said they regularly have to reset their passwords because they have forgotten them, with 12% saying it is an everyday occurrence.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist