Comments on: Study: Workers often jot down passwords

Companies should look to technology to make up for employees' lack of security savvy, authors recommend.

[Marcus Westrup]

PassPhrase

I find there are avoidable reasons regularly changing corporate passwords do not work:
First, employees know that these will soon all be changed again, so there is no incentive to try and memorize (instead of writing them down). Second, it?s often not just one password but a suite of them. An IT administrator may have 20 changes to remember - ouch.
And randomly generated passwords are not very ?wetware? friendly. Passphrases are, but only if they have a pattern that the human mind can latch onto, a mnemonic that links the phrase with the subject.

[H Voyager]

Shuffling of codes lost

The problem isn't so much untech-savvy employee's as it is the shere volume of passcodes, log-ins, and key phrases one ends up having to remember, and then match into the array of systems we use on a day to day basis.

Just today I managed to lock myself out of my computer, because I was using the password for the corporate intranet log in, rather than the one for my work-station/lan log in. And, of course, the company email system is a different log in, and different password system entirely.

Fun ain't it?

Harry Voyager

[wbenton]

Unbelievable...

For those whom write down their passwords... they are definately not security worth to own one in the first place. Remove the computer in front of them and assign them to a non-computer related task.

No need in stupidifying the office to the lowest security breach in the company.

The problem is not the technology... but the user. Thus deal with the user and STOP trying to look for a stupid work around.

Walt

[dsarazen]

K.I.S.S.

Maybe some people need to get off the technology high-horse. I had 68 IDs and passwords (many with different complexity requirements) in my last job as an IT administrator. Of course I put them in an excel file that was password protected and stored on my companies drive, and that?s not perfect. For the sake of all involved, simpler authentication tools need to be adopted and implemented.
K.I.S.S.

[alsutton]

Share Password Safes

Many companies use a password safes which give people a secure place to store their passwords, which takes away the need to find somewhere to stash the password. One of the best solutions I've seen is from http://www.argosytelcrest.com/enterprise_password_safe.html, if nothing else it'll help save on the cost of Post-It notes :).

[csturdivant]

It amazes me

I work in software support at a very large financial corporation, and it amazes me when I have users that will ask me if they can leave me their sign-on info so that I could look at their software problems while they are not at their desk. And a favorite of mine are the users that tape their passwords under their keyboards. I even caught some users that taped this info onto their laptops!

[matt_parker]

There Needs To Be A Combination

Single sign on will only make security breaches worse if there isn't a mechanism of additional requirements such as token scan and convergence of logical and physcial security so that employees that haven't used their pass card to get in the building will not be able to subsequently log onto a machine.

[aureolin]

This is news?

What rock have these "researchers" been hiding under? People have been writing down passwords since the 1970's.

Steve G.

[m0kume]

Problem is not the jotting of passwords

The average worker at my company has a minimum of 3 passwords
to remember, some like Accounting and IT may have 12 or more
passwords to remember. Jotting down the password is not as bad
as where it is stored. the problem is people put their user accounts
and passwords on their monitors or under keyboard.

[converter42]

Simple password management

Until SSO becomes practical (anyone who claims it is practical now is either Sun or Microsoft, and they just want your money--lots and lots of it) the easiest way for users to manage the proliferation of passwords is to keep them on cards stored in their wallets (the real kind, as in the things you keep all your credit cards and family photos in). This guarantees that the user will take at least as much care to protect his passwords as he does his credit cards. Not a perfect solution, but it beats the hell out of yellow sticky notes on the side of the monitor.

The problem is software developers

The problem is often the software and its developers. It's considered a 'basic fact' among developers that complicated passwords that require a mix of letters and numbers, and often a minimum length, and changed often, are a good idea. The problem is every applications and site has a slightly different requirement. Users have to try to remember dozens of different, complex, frequently changin passwords. OF COURSE they'll write them down. Unlike the computer geeks, the programs arent the center point of their lives, so they're not going to dedicate that much effort into memorizing them. And, of course, once the password is written down, all the supposed security from those fancy password requirements is GONE.

The solutions:

1) ease up on the password requirements. Dont make users remember 12 character, mixed case and number passwords. Dont make them change passwords every month (they'll just alternate between a their pet's names anyways)

2) Use some other sort of authentication - biometric, rfid chips in their keychains, etc.

3) use some sort of password safe on the PC. Something like MS Private Folders (if they can get it) or apps meant specifically for storing passwords.

[driver28]

Give me a break

I no longer work, but have had jobs in the tech industry since the 1970's - from the federal gov't, to Fortune 100 companies, to a seven person company. Passwords drove me absolutely mad. YAPs I called them: "Yet Another Password." Now that I surf the net for fun and profit, I currently have 195 passwords in a spreadsheet. No, I take that back. I have 196 passwords because I had to sign up and create another one to rant here. Not only passwords, but site names, user names, and email addresses (a range of disposables like the one I just created.) I challenge any geek to keep track of all of that information. I am just waiting to get that chip in my left thumb so I can quit all this nonsense.