Employee Password Behavior
Considering that 47 percent of the total respondents have between five and ten passwords to access business applications, the likelihood of employees either writing down or forgetting a password because of its length or complexity, or the fact the passwords change so frequently, sharply increases. In Germany, there is a five percent increase in the number of employees using nine or more passwords, up to 18 percent. In the worst case scenario using the results above, an employee might have 10 passwords, of eight or more characters, that change at least seven times a year. Roberta Witty, a vice president of research at Gartner, was quoted as stating the average user has 15 ID's and passwords, all expiring at different times.
When asked directly if they had ever shared a password, all respondents reflected an overall dramatic swing of the pendulum, with six percent more saying they have never shared a password, up to 65 percent; and six percent fewer saying they have, down to 35 percent. There was a two percent increase, moving from eight percent to 10 percent, in the number of people claiming to always write their password down because it is too complicated to remember.
There are some dramatic shifts in Europe. It would seem that German employees are most sensitive to password security. Employees showed improvement in all categories. In 2003, 16 percent of employees wrote passwords down two to three times, where in 2004 that percent dropped to nine percent. Two percent fewer wrote passwords down once, and the same percent decrease who wrote their password down more than five times. At the same time, seven percent more employees said they never write their passwords down, moving from 62 percent to 69 percent.
France and the UK are moving in the opposite direction. In France, there is a two percent increase in employees who write their password down two to three times, a three percent increase in four to five times, and a three percent decrease who say they never write their password down. British employees have increased by three percent the for the number who write their password down two to three times, a one percent increase in four to five times, a three percent increase who always write their password down, and a three percent decrease in those who say they never write their password down. Security is further at risk in the U.K considering employees there showed the greatest increase in the number of applications they access with these passwords - a six percent increase, up to 32 percent of employees, access nine or more applications.
While respondents in the U.S. showed a three percent increase in the number who never share a password, France has a nine percent increase, Germany an eight percent increase, and the UK a 12 percent increase.
When asked whether employees had to have their password re-set because they forgot or misplaced it, nine percent of employees said they had passwords re-set three to four times, and three percent said five to six times. In 2003, 56 percent responded that they never have had a password reset, and in 2004, 53 percent said they had not.
Employees in the UK increasingly forget their passwords or have their passwords reset. Six percent more employees in 2004 have passwords reset between one to six times a year, and six percent fewer say they never need to have their passwords reset.
The result to organizational information security
This survey indicates that organizations still face some serious security issues. Based on the statistics, in an organization of 1000 people, 500 people would write their passwords down and 350 people would share their passwords. Forty-seven percent, or 470 employees, would have passwords reset at least once a year. At an estimated cost of US$30-$50 per password reset, the company could minimally spend US$15,000.
SafeNet conducted this seven question e-mail survey in December 2004, polling the same 67,000 individuals in the United States, Germany, France and the United Kingdom as in its initial survey. The company had a four percent response rate.