Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Mind that password… again

on October 16, 2009

Last week I commented on the phishing attack that resulted in more than 10,000 passwords being leaked online. An analysis of the passwords showed that many computer users are more concerned with choosing a password that they can remember rather than one that is strong and reduces the risk of it being hacked.

Now a new academic study shows that only 4% of corporate IT users stick to password rules created by IT administrators and clearly defined in their security policies.

The bad news for administrators is that the majority of employees don’t care what the policies say and even if they are forced to use strong passwords (through Windows’ security policies) they are still leaving the password written on a post-it note on the monitor or next to the computer.

The research, carried out at the Wisconsin-Madison and IT University, Copenhagen, looked into the password habits of 836 employees at a company that handle sensitive information about their use of IT systems.

Over the past few years, a lot of attention was focused on the deployment of hardware and software solutions to improve computer and information security and while there have been massive improvements, the stark truth is that a single user password can make the best protected systems vulnerable.

When you have employees writing down their passwords (usually used for multiple accounts), leaving them on their desk for all to see, and choosing passwords straight out of a dictionary, then that organization has a problem on its hand.

The problem, I believe, is that computer users are not bothered with strong passwords because they don’t understand what all the fuss is about. So what if  their work credentials are the same as those used for their Yahoo! mail, their MSN account, their online banking account and the two or three social networks they use. So long as the password can be remembered, they are happy.

With social engineering becoming an art form in itself, the risk of identity theft is extremely high. If an employee uses a single password for every account he or she has and that is discovered (last week’s phishing attack showed that there are no guarantees) what is there to stop someone from finding out where they work and use those same credentials to enter the corporate network? Far-fetched? I don’t think so.

One positive that can be taken from the survey is that there is a strong correlation between weak passwords and user type. Stronger passwords were used by those with considerably more experience. This could indicate that with proper training and awareness people can change their habits.

Then again weak passwords were already a problem in 1979 with UNIX users.

Is the battle lost? Not really, but it means that security cannot be taken for granted despite advances in technology. Humans and the way they interact with machines remains the weakest link in security.

About the Author:

David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.

submit to reddit
 
Comments
John Mello October 19, 20094:50 pm

The fact of the matter is that to most users secure passwords are just too inconvenient to deal with. Moreover, the sheer volume of passwords imposed on users mitigates against them creating unique and secure passwords constantly. What’s needed is some kind of USB solution that will generate secure passwords with minimal user interaction. The solution should include some kind of “cloud” component so that the contents of the USB device is backed up whenever the data on it changes so if it’s lost or corrupted, it can be restored with a minimum of pain. Only be removing the demand on users to memorize and create secure passwords will the use of secure passwords actually occur.

David Kelleher October 20, 20091:12 pm

Hi John. Interesting idea. My only concern would be users’ ability to lose the USB stick. The solution would have to be such that even in the event that the drive is lost, it is useless to the person finding it. I believe that so long as there is a human at the end of the process there are always going to be security issues. In your scenario, though, the risks would be much lower.