Passwords are largely ineffective at protecting corporate data due to common human error, a new study by Nucleus Research and KnowledgeStorm finds.
It said companies should consider alternate authentication practices since strategies to improve password security have no impact.
The study surveyed 325 enterprise users and found that more than one third wrote down their password, despite the clear security risk it poses. Of those who keep a record of their password, two-thirds store it in a text file on either a PC or mobile device, creating new vulnerabilities for fraudulent access to data. The study finds the same percentage of users write down or store their password regardless of the type of security system in place – restrictive, average or lenient.
Many companies try to improve password security by adding complexity, such as requiring both numbers and letters or even special characters in each password, increasing the frequency that passwords are changed or requiring a greater number of passwords to enable access. As long as users write down or store their password, none of these efforts add any protection. In fact, single sign-on is just as effective as more complex schemes, according to the study. Even user education on the importance of protecting a password does little to reduce the number of people who keep a written or electronic record of the password.
Password management centre
On the same day, information security software company Cyber-Ark announced the release of a management console for user accounts and passwords.
It claims its Enterprise Password Vault is the only product in the market to provide an enterprise-wide view of privileged password activity. Graphical analysis and alerts on password usage activity are highlighted to provide IT users and administrators the ability to determine where issues exist and highlight password policy violations.
“Cyber-Ark is fulfilling a pressing need in the market for the extension of secure identity management solutions,” said Sally Hudson, research manager for IDC’s Security Services and Identity Management Products program. “Cyber-Ark’s latest release of Enterprise Password Vault is designed to provide a safe haven where all privileged users' passwords can be securely archived, transferred, shared, and managed by authorised users.”