Study: End users still the biggest hole in IT security

Reuse, recycle doesn't apply to passwords

A researcher at the University of Cambridge released a study this week quantifying a practice every computer user relies on and every IT security person deplores: using the same password for more than one account or web site.

"Horrible idea" security wonks shriek. Easiest way to give away all your data. One site gets hacked and your whole network of public accounts, SAAS logins and critical YouTube databases will be compromised.

"I have 100 years of baseball statistics to remember," users reply, sticking completely to the topic, "50 phone numbers, 12 birthdays, three push-button security codes, two PINs and my own name to remember. How can I remember a different password for every web site I use, especially the tough ones IT wants me to use?"

Of course end users repeat passwords. They have more important things to remember. Given the chance, even when you force them to change passwords, they keep the same ones – adding 1 to the end of MYpassW0rd when the old version expires, for example.

Previous studies predicted passwords were reused only 20 percent of the time, according to the researcher, Joseph Bonneau.

He found that number is actually between 31 percent and 49 percent, depending on how strict the definition of "reuse" is.

He looked at passwords stolen and then revealed from rootkit.com and gawker.com. Among 456 legitimate email addresses 31 percent used the same password for both sites. That number goes up to 49 percent if you look at different spellings or capitalizations for the same password.

Most security experts say hackers don't usually pursue individuals because cracking one password for access to one account is more trouble than it's worth. There are tens of thousands, or millions of possible passwords for each account.

This shows that if you crack one, the odds that you have the others is only two-to-one against. That's a big improvement.

As they (and you, admit it) use more SAAS and cloud-based apps for personal and corporate functions, the problem will only get worse. You'll have people using the same password at Salesforce, Amazon, Rackspace and Facebook. Guess which one will get hacked?

Make things easier on them. Give them a way to sign on securely without having to remember a string of random characters for each of 20 internal applications or web sites.

Give them password-management software that will generate a secure password and automatically sign them in when they go to a web site. LastPass, RoboForm and secure Login all have good reputations, there is a long list of single signon products that aren't tied to particular browsers, and a raft of products based on the open-source OpenID identity management spec, all of which could fill the need.

Some are even relatively painless.

Make life easier on everyone. Look into them.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies