The Ongoing Trouble with Passwords

Sue Marquette Poremba
Slide Show

Five Easy Steps for Securing Data

A week or so ago, research firm SplashData released its annual list of worst passwords. It’s pretty sad how, year after year, breach after breach, warning after warning, Internet users continue to use the same weak passwords.

Even though there are a few new ones this year, like baseball and football, most of them are the familiar number and letter patterns, as well as that old standby “password.” Have we learned nothing about the relationship between passwords and security?

Apparently not, according to two recent studies that focused on our attitudes toward passwords.

The first, from Software Advice, found that 44 percent of employees aren’t sure their passwords are secure. According to the study, “Password Use in the Workplace,” while on the surface it looks like a good thing that the majority of users do feel comfortable with the strengths of their work passwords, it is still a pretty low number considering how often passwords are stolen or just plain guessed in order to break into someone’s network or files.

The Software Advice survey also revealed an interesting paradox. Remembering that this study focused on workplace passwords, it found that only 31 percent of users admitted to using the same password across different platforms and sites. But as the researchers pointed out:

What is startling, however, is that the figure is so low. According to a November 2014 report by network security provider RSA and the Ponemon Institute, 69 percent of consumers admit to reusing the same password on more than one device or website.

Why the discrepancy? The study guesses it could be that workplaces don’t allow for the same password to be used more than once – and I know in my last office job that the different systems that required a password login were constantly requiring me to change my password at different intervals while not allowing me to reuse old passwords – or it could be that we use fewer passwords at work than for personal use (my vote is with the former idea; I’d like to know how many of those work passwords are used for non-work purposes, just to make life easier).

The second study came from SailPoint, and this one was truly disturbing. It showed that many of us would have no qualms about selling our passwords if the price is right. And apparently, that price is about $150.

It’s also interesting because it contradicts the numbers of the Software Advice study in that 56 percent admitted to some password reuse in the workplace. Based on the Ponemon number, I suspect this number is probably more realistic.

Login Security

In a formal statement, Kevin Cunningham, president and founder of SailPoint, said:

Just think of the major breaches that occurred in 2014 requiring users to change their passwords on social media. If those were the same passwords being used to access mission-critical applications, it’s very easy for hacking organizations to take advantage and get into more valuable areas. The fact is that password reuse poses a significant risk to any organization.

I get that coming up with unique and strong passwords can be a real pain, but surely, by now, we’ve gotten better than Password1234.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Add Comment      Leave a comment on this blog post
Jan 30, 2015 4:58 PM HItoshi Anatomi HItoshi Anatomi  says:
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts. By the way, some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Something belonging to the password(PIN, passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).  Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.