One in Three Employees Compromise Corporate Security through Lax Password Practices, Nucleus Research Study Finds

Business Wire, Oct 17, 2006

Companies should consider alternate authentication practices since strategies to improve password security have no impact

WELLESLEY, Mass. -- Passwords are largely ineffective at protecting corporate data due to common human error, a new study by Nucleus Research and KnowledgeStorm finds. More than a third of employees write down or electronically record their passwords, creating significant vulnerabilities. Even worse, lowering the quantity of passwords, changing password complexity, or changing password change frequency had no impact on employee actions.

"Companies that spend time and money creating password security strategies are largely wasting their time, because one in three employees are writing down passwords regardless of password policies," said David O'Connell, senior analyst at Nucleus Research. "It's like leaving the key under the mat or in the flower box. Companies looking to ensure security should look beyond passwords to other authentication strategies."

Study Findings

The study surveyed 325 enterprise users and found that more than one third wrote down their password, despite the clear security risk it

poses. Of those who keep a record of their password, two-thirds store it in a text file on either a PC or mobile device, creating new vulnerabilities for fraudulent access to data. The study finds the same percentage of users write down or store their password regardless of the type of security system in place - restrictive, average or lenient.

Many companies try to improve password security by adding complexity, such as requiring both numbers and letters or even special characters in each password, increasing the frequency that passwords are changed or requiring a greater number of passwords to enable access. As long as users write down or store their password, none of these efforts add any protection. In fact, single sign-on is just as effective as more complex schemes, according to the study. Even user education on the importance of protecting a password does little to reduce the number of people who keep a written or electronic record of the password.

"These findings are very relevant to the individuals searching for security solutions," said Rachel Spasser, senior vice president, Business Planning and Corporate Development, KnowledgeStorm. "They should be taken into consideration in the selection process when companies are looking to implement an effective security solution."

Companies may want to review biometrics, cognitive biometrics and other authentication technologies to improve their overall security. This report and others from Nucleus can be found at www.NucleusResearch.com

About Nucleus Research

Nucleus Research is a global provider of IT advisory and research services that provides CFOs, CIOs and their staffs with the real-world information they need to maximize the business returns from their technology investments. For more information, visit www.NucleusResearch.com.

About KnowledgeStorm

KnowledgeStorm is the Internet's top-ranked search resource for technology solutions and information. Leveraging the KnowledgeStorm Network of premier partners and its extensive search expertise, KnowledgeStorm is able to reach technology buyers and deliver the information they need no matter where their search begins. KnowledgeStorm, with its network, search expertise and performance tools and services, is a powerful resource for technology vendors, providing them the most opportunities to reach buyers on the Internet and convert them into Web leads. For more information, call (877) 340-9274 or visit www.knowledgestorm.com.