Credential security firm Dashlane recently published the third annual Global Password Health Score Report, detailing the global state of password health and hygiene. New to this year’s report is an exclusive analysis of user credential health and practices in business environments, showing significant differences in password health and credential behavior based on organization size. Overall, Dashlane found that password health has continued to improve globally each year since its first report in 2022. However, password reuse and other poor security practices remain prevalent – and with passkeys and other passwordless technology still in early adoption, organizations need to account for the risk of weak, reused and compromised passwords as credential-based breaches persist.
The Dashlane Global Password Health Score Report is based on aggregated, anonymized data from millions of users and over 23,000 businesses protected by Dashlane. Report findings are based on the Password Health Score, calculated using Dashlane’s proprietary algorithm, which factors in the number of weak, reused/similar, and compromised passwords in each Dashlane user’s vault. Scores range from 20 to 100, with higher scores indicating greater health.
Company size is less important than other factors when it comes to security
According to this year’s report, small businesses had the greatest average number of credentials per user (122), followed by midsize businesses (76) and enterprises (53). Larger organizations tend to have more mature identity and security stacks, employing controls such as single-sign on (SSO), which reduces the amount of credentials at use by employees. Even with SSO, however, the number of credentials in enterprise environments represent a significant risk if not properly secured – businesses looking to manage their entire digital footprint likely won’t be able to do so without a credential manager.
Greater company size and budget also did not necessarily correlate to better password health and hygiene, as midsize businesses had the lowest share of compromised passwords (1.9%), followed by enterprises (2.9%) and small businesses (3.4%). Enterprise businesses had the greatest share of password reuse (51.7%), compared to midsize businesses (43.9%) and small businesses (41.8%), showing there is still much work to be done in helping users make better security decisions.
Password health and hygiene improves, yet reused passwords persist worldwide
Overall, the average regional Password Health Score was between 72.6 (Northern America) and 79.8 (Eastern Europe). While each region landed in the “Needs Improvement” range (scores between 60-90), all regions improved their scores between 2-4% over the past year. Efforts to improve scores in the years to come will be key in helping to stem the tide of credential-based attacks, which are still the leading cause of breaches and a dominant concern for businesses of all sizes.
Despite this encouraging trend, data shows that the average global user still has between 40-50% reused passwords, which puts users at greater risk of opportunistic, wide-net attacks and can cause a domino effect if even one credential is weak or compromised.
“Good password hygiene is an essential part of strengthening users against credential-based threats, and hardening enterprises from breach,” said John Bennett, Chief Executive Officer at Dashlane. “The continued improvements we see in password health are a big step in the right direction, but there is still a lot of room for education and encouraging users to update passwords as we simultaneously work to transition to a more secure, passwordless future.”
Tech-savvy industries are more secure, while primarily in-person industries lag
Famously “online” and tech-savvy industries, including Software & Tech, and Information, Media & Telecommunications, are leading the pack when it comes to best cyber practices and high Password Health scores. In a close third place is Education, an industry that has long been a target for hackers and ransomware, and has clearly taken steps to bolster its security and protect student and faculty data.
A mixed bag of industries received the lowest security scores, including some that are typically viewed as technology laggards, such as Legal, as well as industries where work largely takes place in offline, physical locations, like Manufacturing and Construction. Amid prominent recent healthcare breaches, the Healthcare industry also fell in the bottom five, underscoring the importance of using security tools like password managers to ensure the protection of highly sensitive data.
Improving security hygiene can be simple
There are simple steps that organizations can take to improve their overall security hygiene, from deploying password managers and strong multi-factor authentication across their workforce to keeping systems updated.