Too Many Passwords?
Posted by Lance Koonce
RSA Security today released the results of a survey of 1700 technology end users in the United States about their password management habits. The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are) or on computer spreadsheets, and also creates a drain on productivity by taxing the resources of IT help desks. Corporate requirements of frequent password changes further exacerbates the problem.
The survey found that nearly a third of all respondents must keep track of at least six passwords, and a significant portion of respondents reported keeping track of a dozen or more. Unsurprisingly, fully 88 percent reported frustration with this problem.
So, what's the solution? The RSA survey asked users about the possibility of a "master password", which may indicate one direction that RSA believes might offer relief. But respondents were justifiably concerned about implementing such a system without extra levels of security. It's the age-old problem: providing a single key limits complexity and also limits the number of access points, but what happens when you lose the key?
Perhaps what's needed in the workplace, at least in part, is more attention to the relative importance of security protocols for different systems, so that not every door requires a different password -- remember, not every door hides sensitive material. But for very sensitive databases and systems, until biometrics or another protocol becomes more practical, the very fallible human memory for passwords - and its IT help desk backup - will likely have to do.
This problem has been exacerbated by the SOX initiatives in public corporations. Prior to this, many corporations were not forcing password changes as often or at all. As the auditors go through, more and more systems are included in their scope and the password policy must be applied to each one. This seems to force a consolidation effort with LDAP or some type of Identity Management or SSO solution to reduce the complexity to the end user. The more strict the password policy and the harder it is for users to manage, the more passwords you'll find written on post-it notes, which in the end achieves the exact opposite of the intended result of the policy.
I would argue that the "one password" or "single sign-on" issue isn't one of what happens if you lose the one master key so much as what happens when someone else finds it.
In our line of work (education) we find that there are too many layers of security, but too many laws requiring that we be so thorough. So our systems each have their own security, from network access to student data to financial systems.
And the folks that work here are all supposed to be well educated, but it makes no difference. Either they use the same password everywhere, or they write them down and put them on their monitor, or in the desk, or in their planner.
Personally, I use a single password for as many applications as I can within one zone of security. For example, I use one password for most of the web page or form registrations that I do. If anyone find out one of these passwords, they could conceivably get into all of my accounts, as they generally have the same username/password combination. For anything more important to me, I use a different password. For example, my hotmail password is different than my normal web password. My bank password, workplace password and school registration passwords are also different.
As a help desk tech, I find that when the same users call each and every day because they can't remember the eight characters (letters AND numbers, of course) that we helped them set their password to the day before, we're even willing to bend the rules a little bit, making their passwords their name with a number at the end, or their birthday (jun241979). I even had someone call recently who didn't have a password set for their Windows login. On her administrator account. She was shocked when I told her her computer was riddled with viruses and spyware. "How did this happen?" she wondered.
I think an equally important item to teach users is why passwords are important, not just how to remember their passwords. Passwords allow them (the users) access to likely private and often personal information that others should not be able to get to. Weak passwords and, just as important, keeping them private are two of the biggest concerns that face public industries today.
Where I work, I'm required to remember over 23 different passwords for various accounts. This doesn't include home accounts for email or logging on to my computer. At first, I was trying to use the same password across the board, but now each system is being updated with different password rules. This one wants no more than two of the same digit but no special characters, that one wants at least one special character and one capital letter, etc. So, now, I've got well over a dozen variants on the same theme.
Everyone I work with stores their passwords in a file on their computer. I've resorted to the same. Not to mention, the pure frustration has caused me to start dumbing down my passwords more and more.
At the organisation where i work we have system called and Accesslink system... u have what we dub the "calculator" on you at all times as it also is used as a name badge and passcard, then you enter you pin number in and it generates a password... i have found this system to be fantastic... one number but high security... and each number generated is only valid for 3 minutes...