In-Depth

Preventing Risky Password Practices

Users hate passwords, and it shows.

• By Mathew Schwartz
• 10/11/2005

For almost 90 percent of workers, work passwords are a frustrating experience, and for 17 percent they’re “highly frustrating.” So say 1,685 enterprise technology end users in the United States, according to a recent survey conducted by RSA Security.

The survey shows the password problem is one of quantity. Thirty percent of respondents have between six and 12 work passwords, and 28 percent of users have 13 or more passwords. While single sign-on technology can help reduce the number of passwords to one, the survey found most organizations don’t have such technology.

Regulations may be partly to blame for password woes. “Compliance initiatives have led companies to enforce and strengthen password policies, which has resulted in additional burdens for the end user, such as requiring that employees change passwords more frequently, or leverage very difficult to remember passwords,” notes Andrew Braunberg, a senior analyst at research firm Current Analysis. “Paradoxically, password policies that are not user-friendly spur risky behavior that can undermine security.”

The survey illustrates this: One in five users admits to recording passwords on a PDA or other handheld device, 25 percent write them down in a spreadsheet or other PC file, and 15 percent commit passwords to paper, which they then store in their office or workspace.

User-unfriendly password policies also “raise IT help desk costs as companies allocate more resources to password resets,” says Braunberg. At 82 percent of organizations, a help-desk employee must involve an IT employee to effect the password reset.

Also factor in end users’ lost time. The average end user waits less than 15 minutes to get a password reset, but at 11 percent of organizations, it takes an average of an hour, and at six percent of organizations, the wait averages over an hour.

Evaluating Single Sign-On

One solution for having too many passwords is to implement single sign-on technology, defined by the survey as “technology that offers the ability to use one set of credentials, a username and password for example, to authenticate and access information across multiple Web sites and applications.” Only 28 percent of respondents report they have it. Given all of the problems inherent in having too many passwords, and users’ related frustration, it’s perhaps no surprise that many companies with leading-edge information security programs now employ single sign-on technology. For example, in a recent Aberdeen report which analyzes six organizations with best-practice security and access controls, analyst Jim Hurley notes “most of these sites are using role-based access controls,” including such things as single sign-on, password management systems, and automated user provisioning.

While such software can help, it’s not an instant fix. For example, for one health care organization profiled in the report, “one of the lessons the organization learned is to not underestimate user-training requirements,” says Hurley. “Despite delivering training, notifications, and more training, the IT organization still finds itself in the business of holding hands for people who are being forced to change old habits regarding how they interact with computer systems.”

Related Articles

Q&A: Harnessing Trusted Computing Modules
http://esj.com/Security/article.aspx?EditorialsID=1517

Q&A: Are Fingerprints the Next Smart Card?
http://www.esj.com/Security/article.aspx?EditorialsID=1440