Last week I commented on the phishing attack that resulted in more than 10,000 passwords being leaked online. An analysis of the passwords showed that many computer users are more concerned with choosing a password that they can remember rather than one that is strong and reduces the risk of it being hacked.
Now a new academic study shows that only 4% of corporate IT users stick to password rules created by IT administrators and clearly defined in their security policies.
The bad news for administrators is that the majority of employees don’t care what the policies say and even if they are forced to use strong passwords (through Windows’ security policies) they are still leaving the password written on a post-it note on the monitor or next to the computer.
The research, carried out at the Wisconsin-Madison and IT University, Copenhagen, looked into the password habits of 836 employees at a company that handle sensitive information about their use of IT systems.
Over the past few years, a lot of attention was focused on the deployment of hardware and software solutions to improve computer and information security and while there have been massive improvements, the stark truth is that a single user password can make the best protected systems vulnerable.
When you have employees writing down their passwords (usually used for multiple accounts), leaving them on their desk for all to see, and choosing passwords straight out of a dictionary, then that organization has a problem on its hand.
The problem, I believe, is that computer users are not bothered with strong passwords because they don’t understand what all the fuss is about. So what if their work credentials are the same as those used for their Yahoo! mail, their MSN account, their online banking account and the two or three social networks they use. So long as the password can be remembered, they are happy.
With social engineering becoming an art form in itself, the risk of identity theft is extremely high. If an employee uses a single password for every account he or she has and that is discovered (last week’s phishing attack showed that there are no guarantees) what is there to stop someone from finding out where they work and use those same credentials to enter the corporate network? Far-fetched? I don’t think so.
One positive that can be taken from the survey is that there is a strong correlation between weak passwords and user type. Stronger passwords were used by those with considerably more experience. This could indicate that with proper training and awareness people can change their habits.
Then again weak passwords were already a problem in 1979 with UNIX users.
Is the battle lost? Not really, but it means that security cannot be taken for granted despite advances in technology. Humans and the way they interact with machines remains the weakest link in security.