Poor password practice putting users at risk

Most people use the same passwords for all web sites that require authentication

Internet users are still unwilling to sacrifice convenience to safeguard their online details, despite the growing amount of online fraud and other types of cyber crime, according to recent research by analyst firm Gartner.

A survey of around 4,000 online adults in the US found that awareness about the risks and general security concerns has improved, but that consumers continue to rely on service providers to protect their safety, and persist in using unsafe password management practices.

"Two-thirds of US consumers surveyed use the same one or two passwords for all web sites they access that require authentication," said Gregg Kreizman, research director at Gartner.

"Most US consumers want to continue managing their passwords the same way they do now. They don't favour using software or hardware to help manage passwords, and user-centric identity frameworks such as OpenID and information card architectures face scarce consumer demand."

Gartner's Consumers Don't Want to Change the Ways They Manage Online Passwords report focused on US internet use, but many of the findings are consistent with usage patterns of consumers in the UK and other countries, the firm said. The results highlight the tough decisions faced by web site owners who want to help ensure the safety of their visitors' information, without driving them away with overly complex authentication procedures.

"The survey findings confirm our belief that there is a limited business for identity providers to manage general purpose consumer identities and passwords used to access sites across multiple business contexts, such as financial services, government and healthcare," said Avivah Litan, vice president and distinguished analyst at Gartner.

"Instead, it is more likely that these providers will have some success managing identities for limited use on multiple sites within a specific business."

Gartner believes that service providers, as well as online product and service vendors, are in a prime position to help educate and incentivise their customers to adopt additional security measures.

The report also highlights a necessary change in perception that is required for people to understand the advantages and practicality of routine and stronger authentication. With increasing amounts of personal information available online through social networking sites and other sources, many users are putting themselves at increased risk by using weak passwords based on known things such as the name of a child or partner.

"Businesses with consumer facing web sites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geo-location and transaction verification," said Litan.

Many security firms are also trying to develop simple and non-intrusive ways to enhance security using methods such as two-factor authentication or biometrics.