A recent survey shows why corporate password policies are doing very little to stop employees from mishandling their passwords. It also finds most employees favor biometric security and that Apple’s new Face ID feature is widely trusted—even though almost no one has actually used it yet.

A new report by Israeli security firm Secret Double Octopus (SDO), whose password-free authentication technology was “originally developed to protect nuclear launch codes,” reveals that despite policies intended to protect passwords, a significant number of employees still admit to mishandling them, however anonymously.

Advertisement

Nearly 40 percent of government employees surveyed say they use paper notes to store passwords, while 14 percent admit to storing them digitally using a spreadsheet or document—a major security faux pas. About half as many employees are doing the same in the healthcare industry, the survey found. Roughly thirteen percent of financial sector employees use an application like Notepad to store their passwords, whereas 28 percent rely on paper notes, according to SDO, which polled 522 respondents at medium and large business with over 1,000 employees.

Overall, about 59 percent of employees said they rely on paper notes, documents, or Notepad-like applications to store work-related passwords. Unsurprisingly, it gets worse.

Fourteen percent of respondents said they share work-related passwords, while 21 percent admitted to reusing work passwords for other online services—another huge no-no. At least five percent said they are aware of having at one point entered a work-related password into a fraudulent form or web page. That figure rises to 11 percent in the IT industry. (Likely IT employees are simply more aware of their mistakes.)

Advertisement

Among employees who reused work passwords for online services—think Netflix or Gmail—the highest prevalence occurs in the banking industry (21 percent). Millennials are supposedly more likely to reuse work passwords (28 percent), according to SDO, while employees between the ages of 55 and 64 admitted to doing so less than 10 percent of the time.

Facial Recognition Highly Desired

Despite the 1984-esque privacy concerns raised over Face ID—the technology introduced in the new iPhone X, which no one yet owns—a plurality of employees claim it is the preferred authentication method. In terms of trustworthiness, Face ID is second only to Touch ID, which relies on fingerprint scanning as opposed to facial recognition; 86 percent prefer Touch ID over passwords, while 72 percent say Face ID is preferable.

The relative ease with which these technologies are used is a considerable factor. According to SDO, around 37 percent of employees are required to remember four or more passwords at work, and they’re asked to replace them at a minimum three times per year. Two-thirds of respondents admit they almost always forget to do so.

“Employees’ authentication method-of-choice often plays an important role in an organization’s overall security structure,” SDO says. “The more user-friendly and trustworthy a method is, the more likely it will be successfully adopted with little to no friction from users.”

For whatever reason, Face ID—which again, almost no one has actually tried—is considered significantly less “user-friendly” than Touch ID. But according to Apple, which recently disputed charges that it reduced Face ID accuracy to meet production demands, the technology is actually more secure.

Apple claims the iPhone X’s TrueDepth camera maps the unique contours of a user’s face using 30,000 infrared dots. And whereas there is a 1-in-50,000 chance of someone unlocking a stranger’s phone with their fingerprint, the chance of a false positive with Face ID is supposedly 1 in 1,000,000. Whether it lives up to the hype and remains relatively unhackable, we’ll have to wait and see.