Security password guidelines 'being ignored'

IT company Quest Software surveyed 200 workers in London’s Square Mile to test whether their companies were contravening a range of guidelines from the SANS Institute - widely regarded as the most trusted source of information security training and certification.

According to Quest’s findings, around half of system passwords were shorter than the recommended eight characters, making them "too easy to crack".

Also, 84% of respondents were responsible for choosing their own passwords, whilst over 25% used "real word" passwords rather than the recommended alpha-numeric combinations. Quest said such practices were "strongly discouraged" as they could lead to compromised security.

Around a quarter of workers surveyed also shared passwords between work PCs and personal applications - such as web mail and online banking - again increasing the risk of password theft and unauthorised system access.

As many as a third of respondents had shared confidential password information with work colleagues.

Easy to manage?

Joe Baguley, global product director at Quest Software, said: "Financial institutions should be amongst the most diligent organisations in the world when it comes to IT security.

"The findings of our latest password survey therefore make for interesting reading, originating as they do from one of the world’s financial hubs."

Previous studies have shown that the average computer user has to manage twenty-one different password access points, with some using as many as 70 different passwords.

Memorability, not security, is considered the most important attribute of a password by 84% of website and computer users, while 81% select a common password whenever possible. As many as 67% of IT users rarely or never change their passwords.

Privileged passwords

A recent study by e-security solutions provider Cyber-Ark highlighted the problem of so-called "privileged passwords" within many organisations.

Privileged passwords are non-personal passwords that can exist within virtually any device or software application within an enterprise.

The Cyber-Ark study showed that such passwords were far more common in organisations than previously thought - with approximately one-half of all enterprises containing more privileged passwords than individual ones.

It also revealed that despite providing "super-user" system access, 42% of privileged passwords were never updated. A spokesperson for Cyber-Ark said one reason they were not changed was that many organisations still had to manually alter these key passwords, making the procedure "impractical".