Passwords : How difficult can it be to get it right ?

Posted on March 10th, 2005

Employees and businesses still making an almighty hash of authentication…, 

Despite a welter of warnings in recent years it appears employees are still failing to engage their brains when it comes to the simplest of tasks – managing their passwords effectively.

Recent findings show a staggering 50 per cent of employees still write down their passwords while one-third of employees share their passwords.

Tony Caputo, who commissioned the research, said such failings mean ‘passwords alone do not provide sufficient security’.  

Part of the problem would seem to be a lack of initiative for overcoming the issue of ‘password overload’ with 80 per cent of respondents needing to use three or more passwords. Furthermore 67 per cent of respondents use passwords across five or more applications while 31 per cent use them to access nine or more applications.

The findings also revealed more companies are now thinking about this problem but are possibly only making more trouble for themselves by doing so.

Sixty-eight per cent of companies surveyed have been requiring employees to use longer or more complicated passwords for more than 12 months now while there has also been an increase in the regularity with which staff must change their passwords. 

Almost a quarter (23 per cent) of companies require password changes at least three times a year while 15 per cent of companies insist upon changes at least five times per year. Thirty per cent of organisations require staff to change their passwords at least seven times per year. But such policy, while suggesting awareness of the risks, can bring its own problems.

Peter Dorrington, director of fraud solutions, told us passwords are fundamentally flawed due to their tendency to meet human error in a head-on collision. ‘I’ve heard of companies trying pretty much everything. One firm insisted staff use long complicated passwords which couldn’t easily be guessed – combining numbers with upper and lower case letters. The next day they walked around the office and almost everybody’s passwords were written on Post-It notes on their monitors because they couldn’t remember them.’ Of course making it easy to remember tends to make it easier to guess. 

Caputo added that while employees writing down their passwords can undermine security and cost a company dear, those employees who favour a ‘call the helpdesk’ approach to logging-in, having forgotten their password, are similarly putting an unnecessary drain on company resources.

Dorrington told us his favoured method of authentication is biometrics – such as fingerprint recognition.

‘You always have your biometrics with you and they are far more reliable than passwords which can be found out or socially engineered out of you,’ said Dorrington.

By Will Sturgeon (Silicon)