Study Reveals Bad Password Habits

A new study reveals disconcertng news about most users' security habits.

The majority of users mishandle their passwords and user IDs, forget their passwords on a regular basis and then resort to calling their IT departments for help when they cant log on to their PCs, according to a new survey.

The results of the study, done by security vendor Rainbow Technologies Inc. and released Tuesday, should come as no surprise to anyone in the IT world. Most enterprise IT workers are painfully familiar with the poor security habits of the users they support. However, the extent to which users drop the ball and endanger their corporate networks is nonetheless disconcerting.

"It surprised me how aware people were of how weak passwords are, and yet they continue to rely on them," said Bernie Cowens, vice president of security services at Rainbow. "You can see that they are really no security at all. Passwords are a real problem, but we continue to keep our heads in the sand and our fingers crossed."

In a survey of 3,000 administrators, managers and security specialists, Rainbow found that 55 percent of users write their passwords down at least once and that nine percent write down every password at some point. Even worse, 40 percent of the respondents said their users share passwords with co-workers or other people.

The survey also found that some of the security measures that companies have put in place to strengthen passwords have actually backfired. A common corporate policy is to require users to select passwords that either include both letters and numbers or are simply a string of letters that dont form a word. The idea is to defeat so-called dictionary attacks, which use automated tools to try thousands of words until one matches the users password.

However, 80 percent of respondents to the survey said that this policy has in fact increased the likelihood that users will either write down or forget their passwords.

"It was clear from the survey that while the implementation of password strengthening methods may make IT and business managers feel better about the use of passwords, they may not result in stronger actual security," the company said in its introduction to the survey results. "In fact the security may be weaker, which represents a fundamental flaw in the password paradigm."

But not all of the blame for the poor state of password management should fall to users. Rainbow, based in Irvine, Calif., also found that almost 20 percent of respondents are not required to change their passwords on a regular basis and only 38 percent have to switch passwords five or more times each year.

"This is a very poor security policy to start with. Obviously, people recognize today the weaknesses of passwords. Its hard to fathom that some organizations dont require [password changes] at all," Cowens said.