Your users have a total of 3-6 different different logins and/or places to log in. Knowing that keeping all eggs in one basket means making an omelet on the sidewalk rather than in a proper skillet, you institute a system with a different username for each one and password complexity requirements that encourage different passwords for each. This means that, should a clever phisher find a person’s email password, they do not have access to the financial records or students’ grades.
However, the user doesn’t really care about security. They have work to do, and deadlines, and simply want to get to it. So, rather than sit for an hour or two a day trying to figure out how to log in to the myriad resources they need to do their job, they write the information down on a Post-It note for easy reference. And because they don’t want to spend another hour trying to find the note, they stick it to their monitor, or the underside of their keyboard.
Which sort of defeats the purpose, I suppose. Which is more secure: A single username with a complex password that gives access to everything for that user, or a bunch of accounts and passwords? Both have pros and cons, and I tend to advocate a method of multiple usernames/passwords, but all stored in an encrypted file behind a single username/password. This way, you only have to remember the one ID, but have multiples for all the other resources.
And the best way to keep that single username/password secure would be, first, to never write it down. But I’m intrigued by the potential of biometrics for securing all the other keys. I don’t know what the best answer is, so I’m glad we have some security consultants coming in to take a look at these kind of issues and make informed recommendations on them. I know what works for me, but I value security over usability; I don’t care if it’s a bit harder to do my job, as long as it’s more secure. Most people probably don’t fall into that category, though.