Out-Law News 2 min. read
14 Oct 2009, 2:05 pm
Researchers at the University of Wisconsin-Madison and IT University, Copenhagen surveyed 836 members of staff at a company that handles sensitive information about their use of IT systems. The research focused on passwords and whether their abuse renders complex IT security systems ineffective.
The study found that just 4% of the people surveyed obey best practice rules for passwords. The rest use the same passwords for different systems or use words that appear in the dictionary or write their passwords down on post-it notes beside the computer.
The average user makes 2.7 deviations from passwords best practice, the study said.
"In deviating from the best practices, end-users can make the best protected computer systems vulnerable," it said. "Problems with the use of alphanumeric passwords have been known for more than 20 years, but unfortunately, so far we have made little progress."
"Much of the attention in the past to improve Computer and Information Security (CIS) has been focused on hardware and software solutions," it said. "Relatively little attention has been paid to 'peopleware'. However, several studies have shown that humans and the way they interact with computer systems are the weakest link in CIS."
The study said that its conclusions will not surprise IT security experts. "Problems with weak passwords are not a new problem. In 1979, Morris & Thompson (1979) reported that many UNIX-users choose very weak passwords, for example very short or obvious passwords," it said. "They analyzed 3289 passwords and results showed that passwords mainly consisted of: strings of three ASCII characters (14%); strings of 4 alphamerics (a set of characters, including letters, numbers, and, often, special characters, such as punctuation marks) (15%); 5 letters, all upper-case or all lower case (21%) or 6 letters, all lower case (18%). Furthermore, 15% of the passwords appeared in various available dictionaries."
Such problems persist, the researchers said. "Almost identical problems with weak passwords are seen today. Schneier (2006) examined 34,000 MySpace usernames and passwords. Results showed that 65% of all passwords contained 8 characters or less. The most frequently used password were: password1; abc123; myspace1; and password," said the report.
The study found that the people most likely to have safe password practices were the people who were the most experienced computer users.
"Results of statistical analysis show that user type (novice, average, advanced or expert user) is the strongest factor related to the number of deviations. Gender, age, education, job position the organizational unit the respondents work in, and years of computer experience, are less important," it said. "Expert users and to a lesser extent advanced users perform significantly better than average users and novice users.
The report did suggest how security could be improved. As well as the use of more expensive token or smart card systems, it said, organisations could use pictorial passwords.
"Humans do not seem to have a specific limit regarding how many pictures can be stored in long term memory and pictures are easily remembered," it said. "Studies have shown that picture based passwords have a better memorability than alpha-numeric passwords and PIN numbers."
"Graphical passwords are not a security 'silver bullet', but a possible alternative for usable yet secure authentication," said the report.
