Computer gatekeepers: password selection may be inadequate protection.

• Author: Marks, Susan J.

Don't bet on simple passwords as adequate protection for the data on your company's computers or for data filed in someone else's system. More than 70 percent of office workers say that they would trade their password to the office computer for a chocolate bar! That's according to an April survey of workers in Liverpool, England, done in conjunction with Infosecurity Europe 2004.

More tidbits from that Infosecurity survey:

* Two-thirds of workers say they use the same password for company computer access as for personal services like online banking.

* Some workers use the same passwords as fellow employees or post passwords on the bulletin board to make remembering them easier.

"Our password changes daily," one financial call-center worker told researchers, "but I do not have a problem remembering it as it is written on the board so that everyone can see it ... although I think they rub it off before the cleaners arrive."

With security issues like these at the forefront of the debate over Internet privacy and homeland security--and a workforce with such a penchant for sweets--businesses today may want to consider alternative or additional ways to protect sensitive information on their computer networks.

Results of the Infosecurity survey don't surprise security experts. Passwords that don't change always have been a major problem from a security point of view, says Ed Glover, Menlo Park, Calif.-based director of Sun Microsystems Inc.'s Security Expertise Center, Client Services. People pass out passwords and trade them for things all the time.

Workers just don't understand that a password is as important as a PIN number, says Glover. "Would I give out my PIN number? No!"

Passwords are the most ubiquitous form of authentication, yet they also are by far the weakest, adds Todd Ulrich, director of product management at Bedford, Mass.-based RSA Security Inc., a major provider of identity and access-management tools to thousands of companies, including many in Colorado. Businesses and governments are realizing the weakness of passwords, too, Ulrich says. He cites the growing worldwide prevalence of government regulations that require stronger security measures to protect sensitive data. In the U.S. new laws protect both health-care and financial information.

Many companies are using stronger "authentication" processes to deal with the problem, says Roberta J. Witty, research vice president of identity and access management and business...