Passwords can be a real pain in the proverbial butt for IT people.
Ensuring the strength of passwords is nothing new. They need to be complex enough to withstand even the most basic of attacks. But what about the number of passwords that employees have to remember to do their jobs? If remembering one good, complex password is difficult, then is remembering 12 near impossible?
A recent SearchSecurity.com poll found that 77% of respondents had six or more passwords to remember for their jobs. About 23% had five or fewer passwords. But 20% had 15 or more passwords for their jobs. More than 200 took part in the online survey.
Recently, SearchSecurity.com contacted some users to see if this jibed with reality. For many, alternatives to passwords are not necessarily the answer. Having a bunch of passwords is part of being an IT professional or "part of the wretched way the world is," said Jon Callas, chief technology officer and founder of PGP Corp. and a SearchSecurity.com site expert.
So what is the way to minimize the number of passwords users need to know? Biometrics? Smart cards? While such devices have their place, they won't replace all the passwords that users need to remember. "Since relatively few systems are set up to use smart cards or biometrics, these systems would only eliminate one-third to two-thirds of passwords, and that still leaves me with probably a good half-dozen that I need to remember," Callas said.
Of course, all passwords aren't created equal. The need to safeguard a password for The New York Times Web site is much less than the need to protect a network login password. For the former, reusing passwords isn't horrible. "Anything where they can mail you the password back is insecure," Callas said.
Yet there are some techniques for making complex passwords easier to remember. For example, taking the first letter of each word in a phrase is one way of creating a password that is easy to remember, said Bill April, a system administrator at a semiconductor equipment manufacturer in Vermont. Another way is running "several short words together with underlines, hyphens or other characters to separate the words," he said.
Callas came up with some tricks to remember passwords when he worked for an OS development group that required him to remember six computer-generated passwords that were changed every two weeks. His favorite solution was writing them on a piece of paper and sticking them someplace secure, like his wallet.
Now, some security pros may balk at such a suggestion. Many have probably chastised end users who write their passwords down and then stick them on their monitors.
Callas would not write down which system the password was for, and he would omit the last character or two. Other people would add extra characters. "I know others who would systematically change one character in the password (for example, the second character is always one more than what it should be -- if the letter written down is B, then you actually type A)," he said.
"Realistically, just putting them in your wallet is good enough," Callas said. "If you make the network attacker perform a physical assault, you have the issue well in hand."
FOR MORE INFORMATION:
FEEDBACK: How do you keep track of the many passwords you need to do your job?
Send your feedback to the SearchSecurity.com news team.
Dig Deeper on Password Management and Policy