Many people are only used to having one password for their PC and maybe a few on the internet but those of us working in larger corporations have gotten used to having more and more passwords all of the time and for IT support workers it is even worse as I know at my company we have to wrestle with passwords for our old as well as our new active directory domain. A report from RSA security, a large corporate security company illustrates the problems that people have with passwords.
One quarter of the 1,300 responding business professionals reported password-related security breaches. The study asserts that the burden of multiple passwords poses significant security risks and encourages user behavior that endangers compliance initiatives. Eighteen percent of respondents managed more than 15 passwords, but only 5 percent said they felt they could easily remember that many; 36 percent managed between six and 15 passwords. The majority, 82 percent, expressed frustration with the task of managing passwords at work.
Only 23 percent of U.S. respondents were required to change their passwords regularly, the lowest number among three regions. Thirty-nine percent in the Asia-Pacific region and 34 percent in Europe were required to change their passwords monthly. Most users reported strong password policies at their organizations, with 70 percent requiring passwords between eight and 14 characters using a combination of letters and symbols. 48 percent said their companies did not allow the reuse of old passwords. However, 17 percent said their companies had no password requirements.
This could lead to security issues for these businesses as people leave but strill have access using generic accounts to the old systems.
57 percent of respondents said the desire of their companies to avoid user frustration prevents the organization from requiring frequent password changes or strong password policies.
Two-thirds reported seeing employees keep paper password records at work, but only 13 percent of those surveyed admitted doing so. Fifty-eight percent were aware of employees keeping electronic password records (such as in a spreadsheet), though only 24 percent of workers said they used these themselves. Fifty percent said they knew of employees tracking passwords in a PDA or handheld device and 40 percent had seen the same done using Post-It notes or scraps of paper affixed to workstations.
This again illustrates the need for business to find ways to streamline password policies so that users are more careful with passwords to corporate business systems.
More than half (56 percent) of respondents said having a “master password” that replaced all other passwords would be “extremely helpful.” Respondents were not unaware of the impact of passwords on security: 26 percent said they knew of a corporate security breach that had occurred due to a compromised password. Regionally, those in the Asia-Pacific region were most aware (35 percent) while those in the United States were the least (14 percent).
Breaches mentioned included former employees accessing business accounts using their passwords, terminated employees guessing a former manager’s password to gain remote access and an employee altering a coworker’s private human resources file.
The results highlighted the workload burden placed on IT help desks as a result of password-related support requests. Twenty percent said password-related calls constituted between 25 and 50 percent of help desk requests. Larger companies were found to be more burdened by password-related help desk calls than smaller ones.