Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

1/3 of Workers Write Down Passwords

By Ed Oswald, BetaNews

October 18, 2006, 1:13 PM

A new study released Tuesday indicates that corporate employees are compromising security through poor password practices. Over one-third either electronically record or write down their passwords, and methods aimed at keeping data safe through complex password security strategies may be a waste of time.

Because so many are writing down passwords rather than committing them to memory, "it's like leaving the key under the mat or in the flower box," Nucleus Research senior analyst David O'Connell said. "Companies looking to ensure security should look beyond passwords to other authentication strategies."

Of those who write down their passwords, two-thirds store it on either a mobile device or on a PC.

Nucleus said that people were writing these passwords down regardless of their complexity, making most companies' password security strategies useless. Thus, single sign-on is as effective as more complex schemes, it said.

"These findings are very relevant to the individuals searching for security solutions," said Rachel Spasser, senior vice president, Business Planning and Corporate Development, KnowledgeStorm. "They should be taken into consideration in the selection process when companies are looking to implement an effective security solution."

Add a Comment (41 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By PC_Tool

posted Oct 20, 2006 - 8:47 AM

What really gets me is why they need to write it down when it's, "password". :p

Score: 0

By rykheer

edited Oct 20, 2006 - 3:23 AM

Part of the problem is that institutions enforce passwords to be in a certain format or that they simply provide the password without allowing the user to change or persist it. This leaves users with passwords that are difficult to remember and probably also need to be changed often. The only solution for users then is to record there passwords somewhere. Another problem is that even though it is never in writing or officially required users are often required to make there passwords available to bosses, managers, team leaders and even co-workers. This often happens when a user is on holiday, sick or just not available while the work place experiences some kind of emergency and requires access to information. It is also kind of expected of users to have their passwords stored before hand for someone to find in case of emergencies. Network and system administrator-ship are also often a title given to someone who performs other tasks whithin the company and no one takes serious. At least not for maintaining security. Besides, the boss can off course always override security in `emergencies`.

Old bank safes have a symple but very effective system: Two people each with his own key are needed to open the safe door. If this is implemented some of the above issues can be addressed successfully and in a gracious manner. Keep things simple!

Score: 0

By sst

posted Oct 19, 2006 - 4:15 PM

If the Phd's want to study password security, find out how many people can remember Exactly an eight digit string. Ten of them - related to logon site. After a week, two weeks.
I must resort to writing them down, 45 sites ( including betanews).
Also, not being able to Guarantee 100% security of my computer information, they are not there, don't bother looking. The only one there is my logon password, that the o/s keeps.
If you want the list you'll have to access the paper copy on my desk, not the convenience of worms, agents, and robots.

To each their own,

Score: 0

By sst

posted Oct 19, 2006 - 5:41 PM

Just remembered an old(?) method for security. Logging on the university computer, I was told when my last login was successful, and when it was last attempted and failed. No, it doesn't keep them out, but sure lets you know when someone tried!

Score: 0

By FastPass

edited Oct 19, 2006 - 4:32 AM

This quote from above is about as naive as they come:
"Companies looking to ensure security should look beyond passwords to other authentication strategies."
Most strong authentication technologies, and in particular OTP [one-time passwords], don't work when a user is disconnected. This is one reason passwords are likely not going away - users want to be able to work in hotel rooms, airports, their back yard, etc., often away from wired or wireless access. In these cases, a central server is unable to authenticate the user, but a locally cached password still works."

You should also be reminded me that in multifactor authentication one of the factors is frequently a password, something that won't disappear for a while. So when most security experts recommend doing away with passwords entirely they should re-think and amend that to be a recommendation to do away with passwords as the sole method of authentication.

The problem is not the legislation but the culture of the organizations who heve been either negligent or too bone idle to take data protection seriously.
(Some content courtesy of an article in Network World last week).

Score: 0

By loosegroove

posted Oct 18, 2006 - 10:15 PM

Not allowing users to write down a password can (and does) lead to unsecure, guessable passwords. When I need to change my company password, I generate a long, non-guessable password and write it down and keep it in my wallet.

I keep my credit cards, debit cards, personal ID, etc in my wallet and I keep it secure on my person. I am more concerned with someone stealing my *personal* credit cards than my *company* password so any password I write down benefits from the same security. Plus, my password is a jumbled mess of characters that means nothing. Even if someone got my wallet, they have no idea where I work, what the password's for or that it's even a password. Besides, they are more interested in the credit card than a string of characters on a piece of paper.

I see nothing wrong with providing users with a password generator that creates strong passwords and allowing them to write them down. It sure beats using the same password over and over again just adding a number to the end of it each time it's changed.

Score: 0

By markadmin

posted Oct 18, 2006 - 6:44 PM

Users need to be informed. Most see nothing wrong with writing their passwords down.

Score: 0

By foxfyre

edited Oct 18, 2006 - 7:51 PM

You are right. That is the purpose of clear concise policies and procedures that each employee is required to read and acknowledge in writing or by online digital signature.

Not only must the policies and procedures be in place that represent the totality of the business process, they much be effectively communicated and made accessible to the employees and the employees required to read them and 'sign'. And they must be effectively implimented with granular accountability.

Score: 0

By Mark Gillespie

posted Oct 18, 2006 - 5:49 PM

Blame Sarbox... They make American companies, and any companies that trade on the US stock market comply with Sarbox requirements, including complex passwords.

The problem of course, is the more you enforce how complex a users password is, the more likely they are to write it on a post-it and stick it on their monitor.

Sarbox would have been better off leaving it alone, it's now worse than ever...

Score: 0

By foxfyre

edited Oct 18, 2006 - 7:47 PM

Complete and utter nonsense. SOX and HIPAA in the US have forced many companies who were negligent and not following already established best practices to establish accountability and clear, concise verifiable policies and procedures for which all are held accountable.

The tragedy is that it took such radical abdications of responsibility and such failures in business to stimulate the passage of such legislation.

And using single strong passwords is not compliant with current best practices! As already acknowledged, this approach causes more problems than it solves! So if you want to complain about its use, you are complaining about a company that is NOT following current best practices demanded by SOX, HIPPA, ISO17799 etc, protocols.

Score: 0

By Keith Lard

edited Oct 22, 2006 - 5:41 PM

I assume, by your response, you work for a company or department that benefits and makes money from the sarbox regulations.... Everyone else thinks they are a joke, and focuses on the easy fixes, rather than the real problems...

Score: 0

By arq_carlos1

posted Oct 18, 2006 - 4:47 PM

I use Diceware, easy (althoug not at the beginning) up to 128 bits of entropy, according to them, many thousand years to crack down a password. And just need some dices (even 1 is good, but need more time). Multiplatform (no ascii characters > 127). Just follow the instructions and it delivers strong pwds

I have dozens of sites which need pwds and I'm using just 3 or 4 passwords for all, I'm not trying to challenge anybody but I feel safer than before.

Score: 0

By foxfyre

posted Oct 18, 2006 - 7:44 PM

many thousands of years? Even AES (the most rigorous algorithm in use and now the standard for the government) is estimated to be cracked in ~60 some years with technology already 4 years old.

Score: 0

By GhoS

posted Oct 18, 2006 - 3:15 PM

The problem for me at work is I need a separate password for a few different things. I try to keep them similar but they request a change every 90 days and they change at different times.
I find online passwords don't follow the same rule as well, so often to make memory easier one will use the same password at many places, however that doesn't work because of different rules on length or content.
I'm not surprised this is a problem.

Score: 0

By Joco

posted Oct 18, 2006 - 3:11 PM

Not everyone knows skiing, the same is for pwd usage. It requires some kind of training to have a good password strategy. The majority of people won't have intuitively a good way to "design" their pwd and how to remember it.

One of the easy way is to use a pwd manager. I recommend the EXCELLENT KeePass (freeware, open source):
http://keepass.sourceforge.net/ And of course, you will need to protect your pwd file with a very strong pwd.

Other ways to remember complicated pwd: combine two halves of two words and prefix/suffix them with some salts. Or choose keys which form a shape on the keyboard.

Score: 0

By GCoder

posted Oct 18, 2006 - 3:08 PM

Well, DUUUUUUUUUUUUUUUUUUH!

when we have 100 passwords to 100 different things...

Score: 0

By AlanRivaldo

posted Oct 18, 2006 - 2:50 PM

By the way, just in case anyone was curious, my password is P-A-S-S-W-O-R-D. Just figured that I'd store it here for convenience.

Score: 0

By GS5

posted Oct 18, 2006 - 2:50 PM

Which means 1/3 of the people out there are too stupid to remember their passwords.

Score: 0

By twosheds

posted Oct 19, 2006 - 5:02 AM

ertgdhh&*%345343dfggdg8399938/???

Multiply that by 10 for various accounts, all as arcane, secure and 'easy' to remember. You have 1 minute to memorise this password starting now....

Score: 0

By foxfyre

posted Oct 18, 2006 - 2:19 PM

This is old news. In terms of its timeliness, this debate over weak/strong passwords and single versus multi-factor authentication ocurred several years ago.

Score: 0

By idondon

posted Oct 18, 2006 - 2:08 PM

Its ok to write down your password as long as you keep it secure

If you tell users to remember the passsword and not write it down the use a weaker password

We always tell our users to use a stong password, write it down and keep it secure

Score: 0

By foxfyre

edited Oct 18, 2006 - 2:18 PM

I hope that you folks are not subject to a SOX, HIPAA, ISO17799 or any other security compliancy audit!

Score: 0

By idondon

edited Oct 18, 2006 - 2:09 PM

sorry double post

Score: 0

By Grazer

edited Oct 18, 2006 - 1:43 PM

Of those who write down their passwords, two-thirds store it on either a mobile device or on a PC.

And the other 1/3 stick it to their monitor with a post it (some are a little better and put it under their keyboard).

Score: 0

By foxfyre

posted Oct 18, 2006 - 2:16 PM

This also illustrates that the place where they are doing this has absolutely no policies and procedures in place nor in force.
Password management is not a panacea nor a substitute for policy and procedures...and their reasonable enforcement!

Score: 0

By Grazer

posted Oct 18, 2006 - 2:26 PM

There were policies, but the department making the policies had no real authority. (University IT Dept. Couldn't tell any other dept what to do, only clean up the aftermath; they usually listened after they got burned. Ironically, the CS dept was the worst. They wouldn't let anyone run as admin, so machines hadn't been updated in years.)

Score: 0

By foxfyre

edited Oct 18, 2006 - 2:59 PM

Then they did not have policies by the definition of what a security policy is as defined by ANY of the certifying standards, be it COSO, COBiT, HIPPA or SOX, etc..

Policies are not only stated and communicated, they are enforced at ALL levels of the organization. And yes, that also includes the CEO or their eqivalent. It is one of the few fun aspects of the beast.

If not, they are meaningless hearsay.

Funny, so in light of that, who is responsible for viruses infecting systems?

Score: 0

By Bobbitchin

posted Oct 18, 2006 - 3:58 PM

"Funny, so in light of that, who is responsible for viruses infecting systems?"

At out company several years ago our then self proclaimed Chief Secruity Officer infected the entire company with the "I Love You" virus!

Score: 0

By Grazer

edited Oct 18, 2006 - 3:21 PM

The department heads and their politics, and the users who want free screensavers or money-saving toolbars. Of course, I am talking about user systems, the server racks were well taken care of and protected.

Score: 0

By foxfyre

posted Oct 18, 2006 - 7:38 PM

A site such as you describe is one that not only is not in compliance with any 'modern' security standards, but it is quite out of control.

The interesting thing now is the failure to do so also involves legal exposure. No longer is it simple a matter of 'opps!" and someone in IT being sacrificed.

The simple answer that has unfortunately required legal action to institute is for a comprehensive framework to be established,which begins with policies and procedures. In such a scenario you do not have individuals doing as they please and systems lacking coherant change management. Nor do you see secretaries assuming the role of the CEO.

Score: 0

By foxfyre

edited Oct 18, 2006 - 1:40 PM

The irony is that after so many years of trying to get folks to use single factor 'strong' passwords, and while many are finally doing this, the trend has reversed recommending multi-factor authentication using weak passwords/phrases that are easily remembered and meaningful to the user combined with an additional factor such as an RFID key, biometric id, RSA dongle, etc.

It turns out that half to 2/3 of the helpdesk time is spent performing password administration for strong passwords that cannot be remembered! IP3 has done allot of research into this phenomena. And not only is it a major expense, but it is a major vector for incursion, as it becomes the norm for people to call to have their passwords reset - and this is often done via the phone where anyone can potentially spoof another.

Oh, and regarding the figure 1/3...I would posit that the figure is actually much higher in high security facilities where unique passwords that do not exist in dictionaries (including those of other languages), combined with password aging and the inability to reuse passwords that can be remembered, results in incomprehensible passwords that are almost impossible to remember. I know, working in such a facility resulted in spending up to an hour simply trying to find a password that would pass the screening criteria - only to result in a password that was utterly meaningless to me. And with 100 various passwords, many of which were equally obtuse, it was absurd to try to memorize all of them.

Multi-factor authentication eliminates that single point of 'compromise' and results in passwords that can be remembered by the individual.

Score: 0

By Grazer

posted Oct 18, 2006 - 1:52 PM

How can you be so coherent here, yet so raving in the other thread?

Score: 0

By foxfyre

posted Oct 18, 2006 - 2:13 PM

Obviously raving is what someone does if they don't agree with the continuous infantile 'whose OS is best' tirades.
There must be one somewhere on the site as we speak that you can find...

Score: 0

By jshurst

edited Oct 18, 2006 - 2:35 PM

Wow, I'm impressed, not a single exclamation point in your response.

On to the topic at hand...
All companies should have standards for employees to follow from the moment they are hired. Perhaps provide them with a password safe, or an easy method of reseting their passwords if they are forgotten. Nobody can be expected to remember all of their passwords.

Score: 0

By foxfyre

posted Oct 18, 2006 - 3:02 PM

I write as I do on paper. I don't give a sh!t about your adolescent chat room protocols where caps are screaming, etc.

But I guess you are lost with out your emoticons and smily faces.

Caps or exclamation points or question marks are for simple emphasis. If they make you apoplectic, well, tough sh!t. Got problems with that exclamation mark???

Score: 0

By GordieT

posted Oct 18, 2006 - 1:31 PM

one word "biometrics"

Score: 0

By Frostek

posted Oct 18, 2006 - 2:08 PM

Here's a thought.

When someone compromises your biometric information, how are you going to handle it? By changing your fingerprints / retina and voice?

Yes, biometrics are not undefeatable, just in case you were under that impression.

Score: 0

By GordieT

posted Oct 18, 2006 - 2:32 PM

I didn't mean to imply this as a stand alone solution. The point I meant to make is that people record their passwords because they forget them. It's kind of hard to forget your finger print.

Score: 0

By foxfyre

posted Oct 18, 2006 - 2:14 PM

Easy!
You don't make any single factor paramount!
That is the point of Multi-factor authentication!

Score: 0

By BklynKid

posted Oct 18, 2006 - 1:29 PM

Idiots...

Score: 0

By mjm01010101

posted Oct 18, 2006 - 1:18 PM

I've seen this first hand. The hilarious thing are companies like RSA that sell crypto cards, the users just end up writing the password(s) on sticky notes on the card themselves.

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue