The survey confirmed that the burden of multiple passwords continues to pose significant security risks, and encourages end-user behavior that endangers compliance initiatives.
Kieran Hernon, Country Manager for RSA, commented: “Password management continues to cause headaches and frustration for both those overseeing corporate password management and end users accessing a growing number of applications daily. The unfortunate result of inefficient and cumbersome password management can be a security breach. Perpetrators of both internal and external attacks will look for the easy way in, and obtaining passwords – either through theft or social engineering techniques – could be the first place they’ll start. Password management technology, combined with strong authentication and continuous end user education will help to alleviate this risk.”
Passwords Impacting Compliance Initiatives and Enabling Security Breaches
RSA Security’s survey polled a cross-section of business visitors to Gitex 2006, with jobs related to corporate password management on a number of issues related to compliance and overall IT security. Of note, 53 percent say their company’s desire to avoid end-user frustration prevents the organization from enforcing frequent password changes and/or strong password policies. In addition:
• Passwords and IT Security: RSA’s survey revealed that organizations are very concerned about the impact of passwords on IT security. 32 percent claimed that they are extremely concerned and almost a quarter 24 percent said that passwords are “moderately concerning.”
- Passwords and IT Security Breaches: Thirteen percent of respondents know of a corporate security breach that has occurred due to a compromised password.
• Passwords in the Era of Compliance: Most Gitex visitors surveyed view password management as fundamental to compliance. In fact, almost 40 per cent rated password management as “extremely important” to achieving compliance while a further third per cent felt it was “moderately important”.
Password Overload Creating Frustration and Security Vulnerabilities
The survey conducted on behalf of RSA demonstrates that end users are overwhelmed by the number of passwords necessary to access business applications, websites and portals. This, in turn, is leading to risky behaviours:
• Passwords Required versus Passwords Remembered: Over 34 percent of respondents do not have a password policy, while almost half manage passwords between 8-14 characters in length, with a combination of letters, numbers and/or symbols.
Over 15 percent said that they manage more than 15 passwords to access their own applications at work, but only five percent can easily remember that many. This is a clear disconnect that will almost inevitably prompt users to turn to potentially insecure coping mechanisms.
• Continued Frustration with Managing Passwords: The majority (82 percent) of end users are frustrated with managing passwords at work. Globally, 12 percent find it “extremely frustrating” – in the U.S., 15 percent answered in this manner, while only nine percent did so in Europe.
• Unsafe Password Tracking Practices: Most respondents in the Middle East with jobs related to corporate password management know of employees tracking passwords in an unsafe manner:
- Fourteen percent have seen employees keep paper password records at work
- Thirteen percent are aware of employees keeping electronic password records (e.g., in a spreadsheet)
- Nineteen percent know of employees tracking passwords in a PDA or handheld device
- Fifteen percent have seen employees track passwords with Post-It notes or other scraps of paper affixed to their computer.
Passwords’ Impact on the IT Help Desk
The survey shows that password-related support requests add significant workload to the IT help desk. One-fifth of respondents say that password-related calls constitute 26-50 percent of help desk requests; one-third says that between 11-25 percent of help desk calls are password-related. Generally, larger companies are more burdened by password-related help desk calls than smaller organizations.
Easing the Password Management Burden
As part of a global survey, RSA also asked respondents whether it would be helpful to have a “master password,” replacing all other passwords at work. Fifty-six percent of those surveyed said a master password would be “extremely helpful.” However, the vast majority – 81 percent – also believes that it would be “extremely important” to provide an added layer of protection for a master password. This is a significant increase from 2005, when 55 percent of respondents said an added layer of protection would be “very important.”
Survey Description and Methodology
The RSA password management survey was conducted at Gitex between November 18 and 20, 2006. The study polled 135 respondents attending the Gitex show.
Monday, November 27- 2006 @ 11:03 UAE local time (GMT+4) Replication or redistribution in whole or in part is expressly prohibited without the prior written consent of Mediaquest FZ LLC.