Buy me some passwords and Cracker Jack

If the assertion in an IBM press release reflects reality, a full 40% of computer users take password-based security about as seriously as they would the Secret Decoder Magic Game card I found last weekend tucked inside a bag of Cracker Jack.

In recognition of Computer Security Day on Nov. 30, IBM offered "Ten Tips to Aid Online Security," No. 6 of which included this preface: "Did you know that 40% of all computer users use the word 'password' as their password?"

Uh, no, I didn't know . . . and I don't believe it either. That people are untrained, uninformed, willfully ignorant and/or irresponsible is beyond dispute. That four of every 10 users are that untrained, uninformed, ignorant and/or irresponsible is beyond belief.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

If the assertion in an IBM press release reflects reality, a full 40% of computer users take password-based security about as seriously as they would the Secret Decoder Magic Game card I found last weekend tucked inside a bag of Cracker Jack.

In recognition of Computer Security Day on Nov. 30, IBM offered "Ten Tips to Aid Online Security," No. 6 of which included this preface: "Did you know that 40% of all computer users use the word 'password' as their password?"

Uh, no, I didn't know . . . and I don't believe it either. That people are untrained, uninformed, willfully ignorant and/or irresponsible is beyond dispute. That four of every 10 users are that untrained, uninformed, ignorant and/or irresponsible is beyond belief.

My requests to IBM for an explanation - or at least a source for that number - produced neither. Not being an expert myself and having no knowledge of anyone's passwords save my own - none of which are "password," by the way - I turned to Joel Snyder, a Network World Lab Alliance member and senior partner at Opus One.

What does Snyder think of that "40% use password" contention?

"Oh, that's got to be crap," he says, proving once again that the man's next minced word will be his first. "Maybe, if the default password is 'password' and everyone gets the default, 40% of people don't change it. But that's the help desk's problem, right? In addition, every system built in the last decade has dictionary checks to be sure that people don't use words in the dictionary for their passwords."

When Snyder gets on a roll woe be to thee who gets in the way.

"I cannot imagine except in the most mis-run of companies with the most obsolete equipment and the most poorly driven policies that even 1% use the word 'password,'" he continues. "At our company, it's not even possible - the system won't accept it."

None of which is to say that passwords aren't a massive headache for IT executives and end users alike, of course. The problem has become so conspicuously severe that The Wall Street Journal featured a front-page article Dec. 9 on password management - and mismanagement. The gist of the story was that corporate strategies for dealing with the regulatory demands of Sarbanes-Oxley and the like are driving IT shops to impose more stringent password rules, including mandatory password changes as frequently as once a month.

One can safely assume that few of these companies are abiding "password" as passwords.

Still flocking to Firefox

Here are a few of the most recent developments bringing smiles to the faces of those who have developed and supported the Firefox open source Web browser: surpassing 11 million downloads; publishing a supporter-financed, double-page advertisement in last Thursday's New York Times - replete with 10,000 individual names; and learning that one survey, albeit disputed by Microsoft, shows Internet Explorer's market share dipping below 90%.

Then there was the news that IT officials at the University of Pennsylvania are advising students to consider alternative browsers such as Firefox in the name of mitigating the security vulnerabilities that come bundled with IE.