The 2002 NTA Monitor Password Survey found that the typical intensive IT user now has 21 passwords, and has two strategies to cope, neither of which is advisable from a security standpoint: they either use common words as passwords or keep written records of them.
The survey found that some of these heavy users maintain up to 70 passwords. Forty-nine percent write their passwords down, or store them in a file on their PC.
The research shows that 84 percent of computer users consider memorability as the most important attribute of a password, with 81 percent selecting a common word as a result.
Furthermore, 67 percent of the entire universe of users polled by NTA Monitor rarely or never change their passwords, and 22 percent said they would only ever change one if forced to do so.
One respondent said: "Memorability is more important as I assume it's secure. I remember passwords I've selected but if I've been assigned one I can't change I write it down on a 'post it' and stick it to my docking station."
Roy Hills, technical director, NTA Monitor, said: "Users are effectively leaving their keys in the front door of their computer systems. A disciplined security approach must start with the user. As an industry, we need to help users address this issue.
The fundamental problem is that users are forced to manage and maintain so many user names and passwords that they are inevitably using common phrases, or resort to writing passwords down."
He added: "The IT industry is simply not taking it seriously enough--losing a laptop, for example, with strictly confidential merger and acquisition documents on the hard disk is one thing but if it's got a 'post it' note with the password stuck to it you've only got yourself to blame."
NTA Monitor surveyed 500 computer users at Victoria Station, London over a week-long period in November 2002.
4%
4%
You never need more than three passwords.
Your PGP passphrase, your SSH private key passphrase, and your login to your main workstation/laptop/whatever.
I use PGP to encrypt rarely-used passwords in a set of files on my PC and ssh RSA authentication to access remote hosts without having to have separate passwords for them.
Don't have PGP?
http://www.pgpi.org/
http://gnupg.org/
What about ssh? Well, linux users already have it, otherwise try PuTTY (windows) or look at openssh.org and ssh.com.
If you only have a couple of passwords, you're quite safe to make them 12 characters of gibberish - or even better, a mangled memorable phrase. One of the few acceptable uses of l33t :-)
I'd R3ALLY l0ve +0 kill the us-munky.
Lets see a dictionary attack work on that one.