If the assertion in an IBM press release reflects reality, a full 40% of computer users take password-based security about as seriously as they would the Secret Decoder Magic Game card I found last weekend tucked inside a bag of Cracker Jack.

In recognition of Computer Security Day on Nov. 30, IBM offered "Ten Tips to Aid Online Security," No. 6 of which included this preface: "Did you know that 40% of all computer users use the word 'password' as their password?"

Uh, no, I didn't know . . . and I don't believe it either. That people are untrained, uninformed, willfully ignorant and/or irresponsible is beyond dispute. That four of every 10 users are that untrained, uninformed, ignorant and/or irresponsible is beyond belief.

My requests to IBM for an explanation - or at least a source for that number - produced neither. Not being an expert myself and having no knowledge of anyone's passwords save my own - none of which are "password," by the way - I turned to Joel Snyder, a Network World Lab Alliance member and senior partner at Opus One.

What does Snyder think of that "40% use password" contention?

"Oh, that's got to be crap," he says, proving once again that the man's next minced word will be his first. "Maybe, if the default password is 'password' and everyone gets the default, 40% of people don't change it. But that's the help desk's problem, right? In addition, every system built in the last decade has dictionary checks to be sure that people don't use words in the dictionary for their passwords."

When Snyder gets on a roll woe be to thee who gets in the way.

"I cannot imagine except in the most mis-run of companies with the most obsolete equipment and the most poorly driven policies that even 1% use the word 'password,'" he continues. "At our company, it's not even possible - the system won't accept it."

None of which is to say that passwords aren't a massive headache for IT executives and end users alike, of course. The problem has become so conspicuously severe that The Wall Street Journal featured a front-page article Dec. 9 on password management - and mismanagement. The gist of the story was that corporate strategies for dealing with the regulatory demands of Sarbanes-Oxley and the like are driving IT shops to impose more stringent password rules, including mandatory password changes as frequently as once a month.