Poor password policy management is leaving firms open to hacking attacks, a survey published today at Infosec Europe 2006 has warned.

Nearly two thirds of the 500 IT administrators who responded to the poll considered the passwords of their users to be inadequate, either using common dictionary words, names or other weak passwords.

Overall 86 per cent of users used one password for all their sites or a very limited pool of passwords. Over 40 per cent fall into the former category.

"It is madness to use the same password for your banking site as for your football supporters' page," said Graham Cluley, senior technology correspondent at Sophos, which carried out the survey.

"If someone is using key-logging software they could get complete access to all your confidential information. Mistakes like this can be very costly."

A weak password is defined as one that uses either dictionary words, which can easily be broken using a software-led brute force attack, or recognizable names.

A strong password uses a mixture of upper and lower case letters, numbers and punctuation characters.