BALTIMORE -- SafeNet, Inc., setting the standard for information security, announced the results of its second annual global password survey.
Tony Caputo, SafeNet Chairman and CEO, said of the results, "This survey reinforces what we hear from customers about their information security concerns - that passwords alone do not provide sufficient security. That's why our USB token, smart card and other authentication products and solutions are in such demand."
"Whether employees are writing their passwords down, or frequently calling the internal help desk because they can't remember them, the organization can be at risk while experiencing loss of productivity. Technology today has solutions that are appropriate and affordable for every situation."
High Level Results:
-- Fifty percent of employees still write their passwords down
-- Over one-third of the respondents share their passwords
-- More than 80 percent have three or more passwords
-- Respondents use these passwords to access an increased number of applications: 67 percent access 5 or more; and another 31 percent access 9 or more
-- Forty-seven percent require their passwords reset at least once a year
The following is an analysis of 2004 results over 2003, with further breakout by geography.
Organizations' Security Policy
Of all surveyed, sixty-eight percent of organizations have enhanced their security policies by either requiring longer or more complicated passwords over a year ago. Companies requiring password changes three to four times a year increased by one percent, from 22 percent to 23 percent; from five to six times a year also increased by one percent, from 14 percent to 15 percent; while password changes seven or more times a year grew by three percent, from 27 percent to 30 percent. This indicates that a majority of organizations are more sensitive to security issues surrounding passwords.
Data specific to Europe reflects the same trends. France shows a four percent increase of employees required to change passwords five to six times a year, and a three percent decrease in employees who say they never have to change passwords. Germany has the largest change where five percent of employees must change passwords seven or more times, and also have three percent fewer employees never having to change a password. In the UK, there is a three percent increase changing passwords three to four times, a two percent increase with changes seven times or more, and a four- percent decrease of employees never having to change a password.
The survey also indicates a growing trend toward more complicated passwords. This is measured in two ways - either passwords with more characters, or passwords containing alphanumeric composition. Interestingly, there was a decrease of four percent where employees are required to create passwords with six or more characters, but a three percent increase in passwords of eight characters or more, from 19 percent to 22 percent. There was also a two percent increase, 27 percent to 29 percent, of companies requiring alphanumeric passwords.
France and Germany show a one percent increase in the need for alphanumeric passwords; and a higher increase in France, Germany and the UK all requiring passwords of eight or more characters, with France leading the way with a five percent increase, up to 26 percent.
Employee Password Behavior
Considering that 47 percent of the total respondents have between five and ten passwords to access business applications, the likelihood of employees either writing down or forgetting a password because of its length or complexity, or the fact the passwords change so frequently, sharply increases. In Germany, there is a five percent increase in the number of employees using nine or more passwords, up to 18 percent. In the worst case scenario using the results above, an employee might have 10 passwords, of eight or more characters, that change at least seven times a year. Roberta Witty, a vice president of research at Gartner, was quoted as stating the average user has 15 ID's and passwords, all expiring at different times.
When asked directly if they had ever shared a password, all respondents reflected an overall dramatic swing of the pendulum, with six percent more saying they have never shared a password, up to 65 percent; and six percent fewer saying they have, down to 35 percent. There was a two percent increase, moving from eight percent to 10 percent, in the number of people claiming to always write their password down because it is too complicated to remember.
There are some dramatic shifts in Europe. It would seem that German employees are most sensitive to password security. Employees showed improvement in all categories. In 2003, 16 percent of employees wrote passwords down two to three times, where in 2004 that percent dropped to nine percent. Two percent fewer wrote passwords down once, and the same percent decrease who wrote their password down more than five times. At the same time, seven percent more employees said they never write their passwords down, moving from 62 percent to 69 percent.
France and the UK are moving in the opposite direction. In France, there is a two percent increase in employees who write their password down two to three times, a three percent increase in four to five times, and a three percent decrease who say they never write their password down. British employees have increased by three percent the for the number who write their password down two to three times, a one percent increase in four to five times, a three percent increase who always write their password down, and a three percent decrease in those who say they never write their password down. Security is further at risk in the U.K considering employees there showed the greatest increase in the number of applications they access with these passwords - a six percent increase, up to 32 percent of employees, access nine or more applications.
While respondents in the U.S. showed a three percent increase in the number who never share a password, France has a nine percent increase, Germany an eight percent increase, and the UK a 12 percent increase.
When asked whether employees had to have their password re-set because they forgot or misplaced it, nine percent of employees said they had passwords re-set three to four times, and three percent said five to six times. In 2003, 56 percent responded that they never have had a password reset, and in 2004, 53 percent said they had not.
Employees in the UK increasingly forget their passwords or have their passwords reset. Six percent more employees in 2004 have passwords reset between one to six times a year, and six percent fewer say they never need to have their passwords reset.
The result to organizational information security
This survey indicates that organizations still face some serious security issues. Based on the statistics, in an organization of 1000 people, 500 people would write their passwords down and 350 people would share their passwords. Forty-seven percent, or 470 employees, would have passwords reset at least once a year. At an estimated cost of US$30-$50 per password reset, the company could minimally spend US$15,000.
SafeNet conducted this seven question e-mail survey in December 2004, polling the same 67,000 individuals in the United States, Germany, France and the United Kingdom as in its initial survey. The company had a four percent response rate.