A new survey by Sophos, Inc., an anti-virus and anti-spam company with U.S. headquarters in Lynnfield, Mass., shows that users -- and many IT professionals themselves -- aren't using passwords properly, putting their computers and the company network at risk.
''It shows that there's still a lack of education,'' says Carol Theriault, a senior security consultant for Sophos. ''Of course, people need to be thinking about firewalls and anti-virus, but they need to think about passwords, too. With so many websites asking people for passwords now, everything thinks they can't remember them all. They just use the same one. And then there are the people who think their password is so good, so tricky that no one will figure it out. And that's just not the case.''
According to the Sophos survey, which was conducted online by visitors to the company website, only 14 percent of respondents never use the same password twice. Forty-one percent use the same password for every website ''all the time'', and 45 percent have ''a few different passwords''.
Theriault says what makes this survey even more alarming is the fact that most people visiting the Sophos site at least have an interest in security -- and many of them are IT and security professionals. This means even the pros aren't as concerned or diligent about their passwords as they should be.
''I found it surprising. This isn't what I expected,'' says Theriault. ''We are a security website and you'd expect people who are security minded to have a better handle on this. From a business standpoint, an administrator might want to try to decipher employee passwords and then go tell people that their passwords aren't secure enough. You're [network] is only as strong as the weakest employee in your company.''
Joe Wilcox, an analyst with JupiterResearch, says he's one of the majority of people who don't generally use different passwords on different websites. He says he feels confident because he uses a password that he thinks would be hard to crack.
''For most sites, I have one password that I use,'' he says. ''Of course, it's 14 characters long. It's a mix mash of stuff that most people wouldn't be able to figure out.'' And Wilcox says he's safer because while he uses the same password over and over, he mixes up the user name on many sites, and he has a separate -- more complex -- password for any financial or banking websites.
And Theriault says that's a key step to take.
She recommends that people separate the websites they visit into three different categories. There are basic websites where people might check football scores or get recipes. Those are generally low-risk sites so it's more acceptable to use the same password for those sites. However, for any corporate situation, people need to use a different, and more complicated password. ''I don't want someone to log in as me and send my boss a resignation letter or steal confidential information from the company,'' she adds.
And for any financial sites -- banking, mortgages, credit cards, stocks -- the password needs to be different from all your others and it needs to be long and complex, including both letters and numbers, upper and lower cases.
Wilcox recommends that people make sure their passwords aren't too simple or easy to guess with casual knowledge of the person.
''My concern is that people tend to pick stuff that is too easy to remember,'' he adds. ''People tend to do their kids birthdays and other important dates -- things that could be figured out with a little social engineering. That's no good... It only takes one site, one figured out password, to hit the goldmine.''