Trying to remember new passwords isn't as easy as ABC123

Before she begins work each morning, Kate Prior must enter eight computer passwords. Each must contain at least eight characters, and most require letters and numbers. Every three months, she must change them all.

How does the 28-year-old monitor of drug trials remember her passwords? Easy: They're written on a blue Post-It note affixed to her computer.

Prior knows that her display threatens to undermine the very security that passwords are supposed to promote. "The IT people yell at me," she says, referring to her company's information-technology staff. But she prefers the occasional scolding to the alternative: forgetting a password, guessing incorrectly three times, and then having to call for help.

Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.

The law, enacted in 2002 in the wake of accounting scandals at Enron Corp. and elsewhere, created an oversight body for audit firms, stiffened penalties for fraud, and required auditors to certify that firms have adopted adequate "internal controls" to prevent fraud.

No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.

But the zeal for impenetrable computer systems rubs up against the limits of human systems. To cope with repeated changes to multiple passwords, many users adopt strategies that actually thwart security.

Roughly three-fourths of computer users memorize their passwords, according to a study done for the computer-security concern Symantec Corp. But memorizing several wholly new passwords is mind-numbing, so some employees make only trivial changes to old passwords — adding the numeral "1" to the original string, for example. That tactic, security experts say, doesn't make a new password any more difficult to crack than the old one was.

Some break another security taboo, by writing down passwords. The Symantec study, done earlier this year before password-change requirements had been imposed at many companies, found that 16 percent of users write passwords in a notebook, hand-held computer or on sticky notes.