Password Strength Needs a Boost
When it comes to passwords, users are often the weakest link in the chain.
According to a survey by researchers at the University of Wisconsin-Madison and IT University in Copenhagen found that just four percent of the people surveyed obeyed best practices for passwords. The survey focused on 836 staff members at company handling "very sensitive private information."
What the academics uncovered was that just four percent of those surveyed obeyed best practice rules for passwords. Others frequently did not, doing things such as using the same passwords for different systems or writing their passwords down on post-it notes.
"On an average, respondents have different 4.1 passwords to logon to different computers and/or access different computer applications at work," the researchers state in their paper. "If we include passwords used at home that number increases to 9. Eighteen percent of the respondents always use the same password to access the different computer systems, application or websites, 50% sometimes use the same password and sometimes another password, and 31% always use different passwords."
This study comes on the back of an analysis of the strength of a batch of stolen passwords Acunetix. The company found similarly that many users were utilizing weak passwords to protect their Microsoft Hotmail accounts.
Just what to do about this, beyond continuing user education, is anybody's guess. But the report from IT University and the University of Wisconsin-Madison suggests it may be time to abandon code words for pictures.
"There are also other solutions to overcome human limitations," the report states. "For example several studies have shown that human beings are better at recognizing pictures than words or sentences and pictures are better stored in the long-term memory...Most efficient are two- or three step authentication methods, for example a combination of a token based ands knowledge-based authentication (for example a smart card in combination with a PIN number), a combination of biometrics and passwords, or a combination of token-based authentication and biometrics, depending
on the level of security needed."
The question is, is your enterprise doing enough?