It’s often said that a computer system’s security is only as good as its worst password; now, a new survey from Nucleus Research and KnowledgeStorm finds that it may be only as good as the most-legible sticky note plastered to a desk or monitor.
The study (PDF) surveyed the habits of 325 U.S. employees and found that roughly one in three enterprise computer users keep a written record their passwords, potentially compromising the security of their companies’ computer networks. Passwords jotted on a sticky note—or stashed in a notebook, desk drawer, or other convenient location—are more vulnerable to theft or snooping than passwords which never exist in unencrypted form outside the computer. As cracking, IT security, and corporate theft concerns continue to escalate, stashed "plain text" passwords are a ripe area for security compromise.
Interestingly, the study found no clear correlation between the complexity of a password and a user’s likelihood of writing down a password. In other words, users were just as likely to want to write down simple, less-secure passwords as complex, difficult-to-crack ones. Some 54 percent of companies required users to select passwords which incorporated both letters and numbers; 38 percent required numbers, letters, and a special character, and only 8 percent allowed only letters in passwords.
Similarly, requiring users to change their passwords frequently didn’t seem to increase the chance that users would write down their passwords. Similarly, implementation of single sign-on systems—where one password gives access to the entire range of enterprise resources—didn’t reduce the likelihood users would write down passwords. Whether folks need one password to get their work done, or four different ones, about one in three is likely to write those passwords down somewhere.
Overall, the study recommends enterprises look beyond password-based security systems and towards technologies which are not as prone to the "sticky note compromise;" technologies like fingerprint readers, biometric systems (like voice, face, retina recognition), or even behavioral metrics to authenticate users without passwords.