The volume of required business passwords overwhelms users and hinders IT security efforts, according to a study released Sept. 12 by RSA Security, based in Bedford, Mass.
One quarter of the 1,300 responding business professionals reported password-related security breaches. The study asserts that the burden of multiple passwords poses significant security risks and encourages user behavior that endangers compliance initiatives.
The surveyed users said they felt swamped by the number of passwords necessary to access business applications and Web sites and portals, in some cases leading to precarious behaviors.
Eighteen percent of respondents managed more than 15 passwords, but only 5 percent said they felt they could easily remember that many; 36 percent managed between six and 15 passwords. The majority, 82 percent, expressed frustration with the task of managing passwords at work.
Only 23 percent of U.S. respondents were required to change their passwords regularly, the lowest number among three regions. Thirty-nine percent in the Asia-Pacific region and 34 percent in Europe were required to change their passwords monthly.
Most users reported strong password policies at their organizations, with 70 percent requiring passwords between eight and 14 characters using a combination of letters and symbols. 48 percent said their companies did not allow the reuse of old passwords. However, 17 percent said their companies had no password requirements.
57 percent of respondents said the desire of their companies to avoid user frustration prevents the organization from requiring frequent password changes or strong password policies.
Two-thirds reported seeing employees keep paper password records at work, but only 13 percent of those surveyed admitted doing so. Fifty-eight percent were aware of employees keeping electronic password records (such as in a spreadsheet), though only 24 percent of workers said they used these themselves. Fifty percent said they knew of employees tracking passwords in a PDA or handheld device and 40 percent had seen the same done using Post-It notes or scraps of paper affixed to workstations.
More than half (56 percent) of respondents said having a “master password” that replaced all other passwords would be “extremely helpful.”
Respondents were not unaware of the impact of passwords on security: 26 percent said they knew of a corporate security breach that had occurred due to a compromised password. Regionally, those in the Asia-Pacific region were most aware (35 percent) while those in the United States were the least (14 percent).
Breaches mentioned included former employees accessing business accounts using their passwords, terminated employees guessing a former managers password to gain remote access and an employee altering a coworkers private human resources file.
The results highlighted the workload burden placed on IT help desks as a result of password-related support requests. Twenty percent said password-related calls constituted between 25 and 50 percent of help desk requests. Larger companies were found to be more burdened by password-related help desk calls than smaller ones.