You don't have to be clever to crack the computer security of most British companies: all you have to do is stand on Waterloo station handing out cheap pens. In a recent survey into office scruples, 95% of male and 85% of female office workers were happy to tell a stranger their password.

A trivial amount of what hackers call "social engineering" would no doubt have secured most of the rest. There was, for example, the chief executive who said: "I will not give you my password, it could compromise my company's information." He later said that his password was his daughter's name, and his daughter's name was Tasmin.

Almost half the password-using populace don't present such a difficult challenge. They either use their own name (16%), the name of their favourite football team (11%), or their date of birth (8%). And the most common password of all is password (12%).

According to the survey, which was undertaken to promote the Infosecurity Europe 2003 exhibition at Olympia in London, two-thirds of workers have told a colleague their password. One lady said: "We all use the same password so we can remind each other if we forget, or we need to get into someone's PC when they are on holiday." This could perhaps be considered an improvement on the traditional approach, which is to write the password on a Post-it note and stick it on the monitor. (Only the very security conscious put the note under the keyboard or in the top left drawer.)

Two things should happen. First, companies should exert more control over the words used as passwords. Second, users should be educated to choose better passwords, and then keep them secret.

The simplest ways to increase password security are to make passwords longer, and include both letters and numbers and/or special characters (!+& * etc). Enforcing the use of mixed-character passwords prevents stupidities such as marchpw, aprilpw, maypw, etc. It also protects against dictionary attacks.

If you want a false sense of security, you can make everybody use a long unguessable machine-generated password such as yi9DKf7cnAk9&nvL. This guarantees users will write it down in numerous places, including diaries, wallets and notebooks that are easily lost.

But it is possible to get people to think up their own, memorable passwords, if you give them a template to work from. For example, I used to use a system of nine-character passwords based on two four-letter words linked by a number. Examples could include gold1tops, eyes2soul, page3girl, salt4sale and so on. If you can also make passwords case-sensitive - so that eYes2sOul is required - these can be difficult to crack.

It would obviously be dangerous to have the same format used by thousands of staff, but it's not hard to come up with a dozen ideas and give them to different groups. And if the resulting passwords are less than perfect, they will still be a big improvement on Tasmin, admin, guest, spurs and password.