Despite the obvious risks and dozens of clever password management practices, IT managers can't seem to convince users to stop carelessly writing down their passwords.
Password theft seems almost inevitable.
The survey also found that a company's password management process has no affect on a user's tendency to record his or her password. IT can have users create complex passwords, change their passwords frequently, use a single sign-on or multiple passwords for different applications, and users will still write their passwords down.
"It's sort of like Mom and Dad bought a really great security system for the house, but Junior is leaving the combination to the system under the doormat," said David O'Connell, senior analyst at Nucleus Research.
Of the 33% of people who said they improperly record their passwords, one-third said they write them down on paper. Two-thirds said they record them in a text file on their computer or on a personal digital assistant (PDA).
"People who are writing it down on a piece of paper -- that makes the enterprise very vulnerable to a social engineering hack," O'Connnell said. "Hackers who can find a way to get into an organization can walk around until they find a yellow sticky note with a password on it. It does happen."
O'Connell said the people who record their passwords electronically are just as, if not more, vulnerable.
"Laptops and PDAs get stolen all the time, and people get targeted. An industry event would be a great place to find and steal someone's laptop. You can do a search based on password and get a document with a bunch of passwords on it," he said.
The Nucleus survey found that 70% of users call their IT help desks once a year about a lost or forgotten password. Sixteen percent call the help desk two or three times a year for password help; 9% call three to five times a year; and 5% call the help desk more than five times a year.
Richard Roark, vice president of process improvement and network security at Travis Credit Union, said his $1.6-billion Vacaville, Calif.-based financial institution hadn't experienced any incidents with stolen passwords. However, he did acknowledge that some employees were a little loose with their password protection practices.
"We did have people frequently giving passwords to another [employee] just so they could log in, that sort of thing. Once we heard of that… it was pretty much stopped. Then we thoroughly educated everyone to make them understand that they should not give their password to anyone, not even someone from IT."
Biometrics making passwords passé?
Ready to give up the battle, companies are exploring biometrics with some success, but experts say products are just not mature enough.
With 78 applications requiring some form of username and password, Travis Credit Union help desk workers were spending on average one hour each day just handling requests from users who couldn't remember their passwords.
Roark considered biometrics as a way around the problem. He first tried a fingerprint-reading technology, but it presented problems early on.
"The technology wasn't mature yet," he said. "For 70% of people it worked fine. But other people, my boss included, it took them at least five times to get signed in."
Last year Roark switched to a new vendor, DigitalPersona Inc., a Redwood City, Calif.-based provider of fingerprint authentication products. He has since deployed the company's software and fingerprint readers company-wide.
"We've had it for over a year now," Roarke said. "It's been one of the best solutions we've had here. Help desk requests are going down, and end users do not have to remember all their usernames and passwords."
Roark has kept passwords as a secondary level of authentication, in case fingerprint readers fail to recognize users. But so far just one of the credit union's 412 employees has had any trouble with the technology.
Jonathan Penn, principal analyst for identity and security at Cambridge, Mass.-based Forrester Research Inc., said biometric authentication is far more secure than the status quo with passwords, but he said biometrics are just one of many approaches companies are looking at, along with smart cards with PINs, one-time password tokens and USB tokens.
Still, biometric technology has a long way to go before it wins wider adoption.
"Biometrics of all kinds -- face, finger, voice -- are still immature and greeted with healthy skepticism by security people," Penn said.
Roark has tested DigitalPersona's technology deployed at his credit union against some common hacking methods and he has found that the vendor's thumbprint scanners have resisted them.
Penn said fingerprinting vendors have improved their defenses against hacking, but, he added, false positives, false negatives and the frequent need to do multiple scans to get a good reading remain problems.
'Passthoughts' offer new way of thinking
O'Connell said a new field of authentication software, known as cognitive biometrics, is emerging. He believes that form of biometric technology holds the most promise.
"People are authenticated by 'passthoughts' rather than passwords," O'Connell said.
Cognitive biometric software learns about individual users by asking them to tell stories about favorite memories. It can then ask questions of the users about those memories to authenticate users. It also tracks more subtle behavior by users, too, such as their reaction times, the mouse movements.
Patrick Audley, CTO of Cogneto, a Vancouver, B.C.-based vendor of cognitive biometric technology, said his product not only tracks users' answers to questions, but it also tracks how users behave while logged on. If the user interacts with his computer in a way, such as moving his mouse differently, the system might flag the user. If the user logs on from an unusual location, it might ask for additional authentication information.
"It authenticates you on all these other variables, all the things one cannot mimic in the way a person interacts with technology," O'Connell said. "This is something that a person really doesn't have to memorize. It can't be memorized."
O'Connell said the best approach for any company would be to adopt a combination of different authentication approaches. For instance, Cogneto has integrated some biometric reader technologies into its software. And Cogneto's Audley said his company views its product as a "password fortification system."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer