Home Data Security Strong Passwords Might Decrease Security
Tuesday January 06, 2009

Strong Passwords Might Decrease Security

Thursday, 14 August 2008 13:00 Bill Carey, Siber Systems

It sounds counterintuitive, but the idea that strong passwords can actually decrease network security is actually quite simple.

A computer user can be reasonably expected to remember one strong password. “H6u;Y0nc” is a lot more cumbersome than “password,” but after a little bit of work the user’s muscle memory takes over and the odd password flies off the finger tips. Strong passwords take a little while to master, but they’re a lot harder for a hacker to guess! 

The trouble is that most users don’t have to remember just one password. Over half of all respondents to a recent survey of IT professionals said the average employee is required to remember three to five passwords, with an additional 26 percent saying the number ranges from six to ten or more.

This is where a strong password policy crashes into user reality… resulting in password fatigue. 

Nobody’s going to remember “H6u;Y0nc,” “&23cDi_,” “JUS&()*,” “Q^SD3;L” and “)*S&D)L,” let alone which password goes with which application. This is especially true for applications that are used only occasionally. Users simply aren’t going to remember all that, which means they’ll take shortcuts, like....

  • Write down their password in an insecure location (66 percent of respondents report the "yellow sticky note" problem),
  • Use the same password for several different accounts,
  • Share passwords with co-workers, or
  • Use passwords that are easy to remember – but easy for a hacker to guess.

This is the paradox of password security. Passwords are more effective when they’re “strong” – i.e., when they use a hard-to-guess sequence of upper- and lower-case letters, numbers and symbols – but it’s unrealistic to expect most users to remember several strong passwords.

Practically speaking, the network may be more secure with a slightly enhanced version of “password” – say, “p@$$word” – than with a “strong password policy” that results in passwords written on slips of paper pinned to the cork board.

IT professionals should be concerned about this problem, and according to a survey of over 600 of them conducted in October and November of 2007 by Siber Systems, Inc., they are.

The survey found that U.S. workers, managers, and IT staffs alike are increasingly confronted with difficulties arising from computer passwords.  In addition to the problem of too many passwords, the survey found the following.

  • Passwords are required too often.  49 percent responded that employees are required to use passwords more than 25 times per week, with 8 percent stating the number of password uses exceed 100 per week.
  • Passwords are unprotected.  66 percent said employees write down or store passwords in unsafe places, creating a security problem for their companies.
  • Better management is needed.  48 percent of responding IT professionals are actively seeking a reliable password management solution.

Forty percent of respondents characterized a master password – one strong password that an employee uses to login to a service that manages passwords for all other accounts – as “a potential lifesaver.” The concept of the Master Password balances security needs with user fatigue by granting access to all systems through one secure password.

It’s not surprising that security is one of the main concerns of IT professionals, who are required to protect company information, which may include customer lists, financial or health data, or strategic goals. Lost data can mean

  • lost time,
  • lost money,
  • lost opportunities,
  • a lost competitive edge, and
  • crippling legal liability and a serious public relations problem, if you lose customer or client data

The IT staff in about half of the companies surveyed spend at least 10 percent of their time dealing with password-related requests. This more than anything else shows the significance and cost of password management, and the potential for efficiency and savings.  

The ideal solution to the password management problem would

  • Increase Security – The main reason a company wants to implement a password management solution is to increase the security surrounding corporate data and assets.
  • Reduce the Number of Passwords Employees Need – Many studies show that employees can only remember one or two secure passwords.
  • Improve Employee Productivity – A productive, happy workforce doesn’t have to worry about passwords or calling the helpdesk for password resets.
  • Easily Integrate Into Existing Systems – A solution that ties up the IT staff for months in a complicated deployment defeats one of the main objectives of effective password management.
  • Reduce Help Desk Costs – An effective solution will reduce the burden on the IT help desk staff, reducing overall IT costs.
  • Provide an Immediate Return on Investment – The more a company invests in a password management solution, the longer it takes for a company to realize a return.  
  • Provide a Sustainable Solution – Things change after the initial deployment. A password management solution must afford end users and IT managers an easy ongoing way to maintain password changes.
  • Offers a Trial – Nobody wants to invest in an expensive solution or a complicated integration only to discover that it’s not workable in their environment.

Companies have several options to consider for effective password management. The most common solutions are

  • multi-factor authentication, which can be quite expensive and complicated,
  • enterprise single sign-on, which usually has a long and costly implementation, and
  • enterprise password management, which manages passwords across multiple applications with a much simpler startup.

Whichever method a company chooses, the goal is to secure network resources with a password policy that users will actually follow, otherwise using strong passwords alone may actually decrease corporate security.

The survey was administered through business data company eMedia.

Bill Carey is vice president of Marketing and Business Development for Siber Systems.  Founded in 1995, Siber Systems creates and markets a wide range of software to both professional programmers and the general public. 

For a free copy of the survey, visit http://www.roboform.com/enterprise/download/survey.html