Maintaining the security of information systems and associated data resources is vital if an organisation is to minimise losses. Access controls are the first line of defence in this process. The primary function of access controls is to restrict the use of information systems and resources to authorised users. Password-based systems remain the predominant method of user authentication despite the many sophisticated and viable security alternatives that have emerged from research and development. However, evidence suggests that passwords as a means of authentication is often compromised by poor security practices. This paper presents the results of a survey that examines user practice in creating and using password keys and reports the findings on user password composition and security practices for e-mail accounts. Despite a greater awareness of security issues, the results show that an improvement in user password management practice is required.