IT users in password hell

The typical intensive IT user now has 21 passwords, and has two strategies to cope: Use common words as passwords or just write them down

Heavy users of technology now employ nearly two dozen passwords to gain access to various IT systems and Web sites -- but are compromising security by writing them down.

The 2002 NTA Monitor Password Survey found that the typical intensive IT user now has 21 passwords, and has two strategies to cope, neither of which are advisable from a security standpoint: they either use common words as passwords or keep written records of them.

The survey found that some of these heavy users maintain up to 70 passwords. Forty-nine percent write their passwords down, or store them in a file on their PC.

The research shows that 84 percent of computer users consider memorability as the most important attribute of a password, with 81 percent selecting a common word as a result.

Furthermore, 67 percent of the entire universe of users polled by NTA Monitor rarely or never change their passwords, and 22 percent said they would only ever change one if forced to do so.

One respondent said: "Memorability is more important as I assume it's secure. I remember passwords I've selected but if I've been assigned one I can't change I write it down on a 'post it' and stick it to my docking station."

Roy Hills, technical director, NTA Monitor, said: "Users are effectively leaving their keys in the front door of their computer systems. A disciplined security approach must start with the user. As an industry, we need to help users address this issue. The fundamental problem is that users are forced to manage and maintain so many user names and passwords that they are inevitably using common phrases, or resort to writing passwords down."

He added: "The IT industry is simply not taking it seriously enough -- losing a laptop, for example, with strictly confidential merger and acquisition documents on the hard disk is one thing but if it's got a 'post it' note with the password stuck to it you've only got yourself to blame."

NTA Monitor surveyed 500 computer users at Victoria Station, London over a week-long period in November 2002.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.