Friday, March 29, 2024

Users and IT Lax about Password Security

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

After years of warning users about making sure their passwords aren’t

easy to guess or left on Post-It notes stuck to their monitors, it seems

the message still hasn’t gotten through.

A new survey by Sophos, Inc., an anti-virus and anti-spam company with

U.S. headquarters in Lynnfield, Mass., shows that users — and many IT

professionals themselves — aren’t using passwords properly, putting

their computers and the company network at risk.

”It shows that there’s still a lack of education,” says Carol

Theriault, a senior security consultant for Sophos. ”Of course, people

need to be thinking about firewalls and anti-virus, but they need to

think about passwords, too. With so many websites asking people for

passwords now, everything thinks they can’t remember them all. They just

use the same one. And then there are the people who think their password

is so good, so tricky that no one will figure it out. And that’s just not

the case.”

According to the Sophos survey, which was conducted online by visitors to

the company website, only 14 percent of respondents never use the same

password twice. Forty-one percent use the same password for every website

”all the time”, and 45 percent have ”a few different passwords”.

Theriault says what makes this survey even more alarming is the fact that

most people visiting the Sophos site at least have an interest in

security — and many of them are IT and security professionals. This

means even the pros aren’t as concerned or diligent about their passwords

as they should be.

”I found it surprising. This isn’t what I expected,” says Theriault.

”We are a security website and you’d expect people who are security

minded to have a better handle on this. From a business standpoint, an

administrator might want to try to decipher employee passwords and then

go tell people that their passwords aren’t secure enough. You’re

[network] is only as strong as the weakest employee in your company.”

Joe Wilcox, an analyst with JupiterResearch, says he’s one of the

majority of people who don’t generally use different passwords on

different websites. He says he feels confident because he uses a password

that he thinks would be hard to crack.

”For most sites, I have one password that I use,” he says. ”Of course,

it’s 14 characters long. It’s a mix mash of stuff that most people

wouldn’t be able to figure out.” And Wilcox says he’s safer because

while he uses the same password over and over, he mixes up the user name

on many sites, and he has a separate — more complex — password for any

financial or banking websites.

And Theriault says that’s a key step to take.

She recommends that people separate the websites they visit into three

different categories. There are basic websites where people might check

football scores or get recipes. Those are generally low-risk sites so

it’s more acceptable to use the same password for those sites. However,

for any corporate situation, people need to use a different, and more

complicated password. ”I don’t want someone to log in as me and send my

boss a resignation letter or steal confidential information from the

company,” she adds.

And for any financial sites — banking, mortgages, credit cards, stocks

— the password needs to be different from all your others and it needs

to be long and complex, including both letters and numbers, upper and

lower cases.

Wilcox recommends that people make sure their passwords aren’t too simple

or easy to guess with casual knowledge of the person.

”My concern is that people tend to pick stuff that is too easy to

remember,” he adds. ”People tend to do their kids birthdays and other

important dates — things that could be figured out with a little social

engineering. That’s no good… It only takes one site, one figured out

password, to hit the goldmine.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles