Almost half of enterprise apps don't handle credentials securely

A new report from Orchid Security shows nearly half of enterprise applications violate basic credential-handling guidance, with 44 percent undermining centralized identity provider (IdP) policies and 40 percent falling short of widely accepted identity-control standards.

Orchid analyzed authentication flows and authorization practices embedded deep within enterprise applications and finds clear-text credentials in nearly half. These are normally associated with alternative access flows, often for non-human accounts, but they also present an easy target for threat actors seeking entry or lateral movement.

While IdPs are very common within enterprises and a valuable tool to centralize secure authentication practices, the research finds that 44 percent of the time no IdP was utilized by at least one authentication path offered by the application.

Basic best practices to maintain identity security include monitoring and even rate controlling login attempts, implementing account lockout after a certain number of failed attempts, enforcement of password complexity, token lifetime configurations and more. Yet the report shows each of these found to be missing roughly 40 percent of the time.

"These identity security gaps are by no means a reflection on today’s identity and access management teams," says Roy Katmor, CEO and co-founder of Orchid Security. "The reality is, with the average enterprise relying on more than 1,200 applications -- some developed and deployed globally, others introduced by regional offices or specific lines of business -- it is a huge challenge to simply know all of the apps in use. Let alone to fully understand not only the standard audited identity flows, but also all feasible authentication pathways and authorization attributes within each application. That complexity is only compounded by the fact that, until now, the process has been largely manual."

To address the problem there are a variety of common tools and methods that enterprises can use to assess their environments for identity security exposures. These include static application security testing (SAST), architecture reviews, penetration testing and using Security Information and Event Management (SIEM) to monitor applications.

"Organizations can no longer afford to overlook identity as a central element of their security posture," adds Katmor. "Even without automated tools such as Orchid Security in place, there are practical steps teams can take, from manual code reviews to architecture and monitoring enhancements. Identity remains the most common attack vector, and proactive, layered assessment is key to reducing exposure."

You can get the 2025 State of Identity Security report on the Orchid site.

Image credit: Tsingha25/Dreamstime.com