After years of warning users about making sure their passwords aren’t
easy to guess or left on Post-It notes stuck to their monitors, it seems
the message still hasn’t gotten through.
A new survey by Sophos, Inc., an anti-virus and anti-spam company with
U.S. headquarters in Lynnfield, Mass., shows that users — and many IT
professionals themselves — aren’t using passwords properly, putting
their computers and the company network at risk.
”It shows that there’s still a lack of education,” says Carol
Theriault, a senior security consultant for Sophos. ”Of course, people
need to be thinking about firewalls and anti-virus, but they need to
think about passwords, too. With so many websites asking people for
passwords now, everything thinks they can’t remember them all. They just
use the same one. And then there are the people who think their password
is so good, so tricky that no one will figure it out. And that’s just not
the case.”
According to the Sophos survey, which was conducted online by visitors to
the company website, only 14 percent of respondents never use the same
password twice. Forty-one percent use the same password for every website
”all the time”, and 45 percent have ”a few different passwords”.
Theriault says what makes this survey even more alarming is the fact that
most people visiting the Sophos site at least have an interest in
security — and many of them are IT and security professionals. This
means even the pros aren’t as concerned or diligent about their passwords
as they should be.
”I found it surprising. This isn’t what I expected,” says Theriault.
”We are a security website and you’d expect people who are security
minded to have a better handle on this. From a business standpoint, an
administrator might want to try to decipher employee passwords and then
go tell people that their passwords aren’t secure enough. You’re
[network] is only as strong as the weakest employee in your company.”
Joe Wilcox, an analyst with JupiterResearch, says he’s one of the
majority of people who don’t generally use different passwords on
different websites. He says he feels confident because he uses a password
that he thinks would be hard to crack.
”For most sites, I have one password that I use,” he says. ”Of course,
it’s 14 characters long. It’s a mix mash of stuff that most people
wouldn’t be able to figure out.” And Wilcox says he’s safer because
while he uses the same password over and over, he mixes up the user name
on many sites, and he has a separate — more complex — password for any
financial or banking websites.
And Theriault says that’s a key step to take.
She recommends that people separate the websites they visit into three
different categories. There are basic websites where people might check
football scores or get recipes. Those are generally low-risk sites so
it’s more acceptable to use the same password for those sites. However,
for any corporate situation, people need to use a different, and more
complicated password. ”I don’t want someone to log in as me and send my
boss a resignation letter or steal confidential information from the
company,” she adds.
And for any financial sites — banking, mortgages, credit cards, stocks
— the password needs to be different from all your others and it needs
to be long and complex, including both letters and numbers, upper and
lower cases.
Wilcox recommends that people make sure their passwords aren’t too simple
or easy to guess with casual knowledge of the person.
”My concern is that people tend to pick stuff that is too easy to
remember,” he adds. ”People tend to do their kids birthdays and other
important dates — things that could be figured out with a little social
engineering. That’s no good… It only takes one site, one figured out
password, to hit the goldmine.”