What's more, both weak and strong passwords are vulnerable to human error. Among other things, they may be written down, stored in visible places online or on personal devices, shared with friends and co-workers, or divulged via phishing schemes.
It's a problem with old roots. Security expert Larry Ponemon of the Ponemon Institute worked on a project some 15 years ago for a government agency that required users to create 15-character passwords and update them every 30 days.
"If you forgot your password, you had to go to a tyrant at the help desk who would call you incompetent before he'd reset your password," Ponemon remembers. "When I walked through the office, I saw that all these employees working on highly confidential documents had written their passwords on Post-it notes because they didn't want to deal with the tyrant."
At Case Western Reserve University in Cleveland, CISO Tom Siu has seen it all: professors giving passwords to teaching assistants and TAs sharing them with peers. Siu recently traced an unauthorized software download to the ex-boyfriend of a former student.
As our lives proliferate online, the sheer number of passwords that any one person is required to use becomes a problem. The Ponemon Institute conducted a study several years ago to determine how many passwords people could remember. For most people, it was one or two; some could manage three.
"That means you have a top-secret password for your bank," plus one other password "for everything else," says Ponemon. "If someone steals [the latter], they can probably get other challenge and verification information, like the name of your first-grade teacher."
And, despite IT's best efforts, users continue to fall for phishing attacks. "When we educate people about phishing, the number of people who fall for it goes down," says Jonathan Feldman, director of IT services for the city of Asheville, N.C. "But it never goes down to zero."
And then there are hackers. Even strong passwords can be stolen in batches, as multiple high-profile cases have shown.
All of which makes a strong case for a Plan B.
Short-term Solutions: SSO and LDAP
In the short term, Plan B to many IT executives is single sign-on (SSO) technology or the Lightweight Directory Access Protocol (LDAP).
Single sign-on, as its name implies, lets users log in once and then authenticates them for multiple systems. LDAP, which runs on IP networks, works with Microsoft's Active Directory to allow any application using Active Directory to accommodate the same password.