The average corporate IT user is being asked to remember an increasing number of passwords and is resorting to insecure ways to remember them, thus opening the IT infrastructure to risk and placing a heavy burden on help desks, according to a recent survey.
Conducted for Bedford, Mass.-based authentication and encryption company RSA Security by research group Current Analysis, the survey of 1,700 enterprise technology end users in the U.S. showed 30 per cent of users are required to remember six to 12 passwords at work, and 23 per cent need to remember 15 or more. And to remember them, 25 per cent store a master list on their computer, 22 per cent on a PDA or handheld, and 15 per cent keep a paper list by their desk.
Victor DeMarines, RSA’s senior product manager, said the upward trend in the number of passwords wasn’t a surprise, but the sheer numbers that the burden has reached was. He added that the results confirmed that compliance audits have caused companies to increase their password policies and enforcement, requiring passwords to be changed more often and be more complex.
“When you contrast that with the number of passwords they’re managing, you can see it becomes a really complex environment for the end user,” said DeMarines.
User angst is simmering, with 88 per cent of respondents classifying their password situation from somewhat frustrating to very frustrating. And with 82 per cent of users saying restoring a forgotten password requires help desk intervention, it’s also frustrating for the IT department.
Rather than securing the IT infrastructure, DeMarines said harsher password enforcement is only encouraging risky behaviour, such as lists on PDAs, and companies need to find a balance.
He said companies should look at tweaking their policies, or consider technology answers like enterprise single sign-on (ESSO) that let users access multiple applications through one password.
As Philadelphia law firm Post and Schell began to reassess its physical and IT security procedures to comply with government regulations, chief technology officer Louis Mazzio said it quickly became clear that without help, the situation would become unmanageable for their users.
Mazzio said as they moved to electronic documents they wanted to have the same security they had with their locked file cabinet room. Using technology from RSA, Mazzio said each employee now has one smart card with their photo that acts as their company ID as well as their building, elevator and office key card. Each computer has an attached card reader, and combined with their password it gives the user access to areas of the network they’re authorized to use.
Joe Greene, vice-president of IT security research for IDC Canada in Ottawa, said identity and access management are key components to any sound security program. Many people still tend to use simple passwords they can remember, like their kids’ names or birthdays, and he said that can be a problem.
“It drives me nuts, I’ve got I don’t know how many passwords and you can only come up with so many that you can remember and then you’ve got to start writing them down,” said Greene. “But if you have one for everything and someone compromises that, then you’re in trouble.”
Greene said he thinks medium and large companies are starting to pay attention to password security issues, driven partly by issues like compliance requirements. Depending on the legislation, he said it’s important companies know who has access to what information, and that there’s a paper trail.
“That’s how people are going to start coming to grips with these things,” said Greene. “I think you’re going to start seeing identity and access tools being used for (compliance), and over time, a secondary benefit could be password management.”