• silicon.com
• Technology
• Security

By Will Sturgeon, 9 March 2005 10:10

NEWS Despite a welter of warnings in recent years it appears employees are still failing to engage their brains when it comes to the simplest of tasks – managing their passwords effectively.

Recent findings show a staggering 50 per cent of employees still write down their passwords while one-third of employees share their passwords.

Tony Caputo, CEO of SafeNet, who commissioned the research, said such failings mean "passwords alone do not provide sufficient security".

Part of the problem would seem to be a lack of initiative for overcoming the issue of 'password overload' with 80 per cent of respondents needing to use three or more passwords. Furthermore 67 per cent of respondents use passwords across five or more applications while 31 per cent use them to access nine or more applications.

The findings also revealed more companies are now thinking about this problem but are possibly only making more trouble for themselves by doing so.

Sixty-eight per cent of companies surveyed have been requiring employees to use longer or more complicated passwords for more than 12 months now while there has also been an increase in the regularity with which staff must change their passwords.

Almost a quarter (23 per cent) of companies require password changes at least three times a year while 15 per cent of companies insist upon changes at least five times per year. Thirty per cent of organisations require staff to change their passwords at least seven times per year.

But such policy, while suggesting awareness of the risks, can bring its own problems.

Peter Dorrington, director of fraud solutions at SAS, told silicon.com passwords are fundamentally flawed due to their tendency to meet human error in a head-on collision.

"I've heard of companies trying pretty much everything. One firm insisted staff use long complicated passwords which couldn't easily be guessed - combining numbers with upper and lower case letters. The next day they walked around the office and almost everybody's passwords were written on Post-It notes on their monitors because they couldn't remember them."

Of course making it easy to remember tends to make it easier to guess.

SafeNet's Caputo added that while employees writing down their passwords can undermine security and cost a company dear, those employees who favour a 'call the helpdesk' approach to logging-in, having forgotten their password, are similarly putting an unnecessary drain on company resources.

Dorrington told silicon.com his favoured method of authentication is biometrics – such as fingerprint recognition.

"You always have your biometrics with you and they are far more reliable than passwords which can be found out or socially engineered out of you," said Dorrington.

SafeNet is one of many companies offering tokens as well as smartcards for multi-layered authentication.

RSA also offers a number of authentication solutions. A spokeswoman for the company said: "Uptake of two-factor authentication and single sign-on for remote access is definitely increasingly – partly because identity theft is still such a huge issue."

According to RSA, banks in particular are currently tightening up on authentication, with other traditionally less security-minded sectors likely to follow suit further down the line.

"We're also seeing more demand for password management and authentication inside the firewall from companies wanting to enhance security, reduce helpdesk costs, increase end user satisfaction and prove compliance," added the spokeswoman.

This latest survey follows similarly worrying findings in separate research last year which revealed 70 per cent of employees would offer up their password in return for a chocolate bar.