Passwords are the weak link in IT security

Passwords aren't working, and replacement technologies haven't caught on. Why can't we develop a simple way to secure our data?

1 2 3 4 Page 2
Page 2 of 4

It's a problem with old roots. Security expert Larry Ponemon of the Ponemon Institute worked on a project some 15 years ago for a government agency that required users to create 15-character passwords and update them every 30 days.

"If you forgot your password, you had to go to a tyrant at the help desk who would call you incompetent before he'd reset your password," Ponemon remembers. "When I walked through the office, I saw that all these employees working on highly confidential documents had written their passwords on Post-it notes because they didn't want to deal with the tyrant."

At Case Western Reserve University in Cleveland, CISO Tom Siu has seen it all: professors giving passwords to teaching assistants and TAs sharing them with peers. Siu recently traced an unauthorized software download to the ex-boyfriend of a former student.

As our lives proliferate online, the sheer number of passwords that any one person is required to use becomes a problem. The Ponemon Institute conducted a study several years ago to determine how many passwords people could remember. For most people, it was one or two; some could manage three.

"That means you have a top-secret password for your bank," plus one other password "for everything else," says Ponemon. "If someone steals [the latter], they can probably get other challenge and verification information, like the name of your first-grade teacher."

And, despite IT's best efforts, users continue to fall for phishing attacks. "When we educate people about phishing, the number of people who fall for it goes down," says Jonathan Feldman, director of IT services for the city of Asheville, N.C. "But it never goes down to zero."

And then there are hackers. Even strong passwords can be stolen in batches, as multiple high-profile cases have shown.

All of which makes a strong case for a Plan B.

Short-term Solutions: SSO and LDAP

In the short term, Plan B to many IT executives is single sign-on (SSO) technology or the Lightweight Directory Access Protocol (LDAP).

Single sign-on, as its name implies, lets users log in once and then authenticates them for multiple systems. LDAP, which runs on IP networks, works with Microsoft's Active Directory to allow any application using Active Directory to accommodate the same password.

Forrester's Maler notes that one of the big advantages of single sign-on is that it eliminates the need to have multiple systems storing multiple passwords. Ponemon concurs, citing a recent SSO deployment at a healthcare provider where practitioners were complaining about how they had to type in their password every time they moved to a different system. "The SSO system created both efficiency and greater security, because it had built-in safety checks to avoid giving access to the wrong person."

1 2 3 4 Page 2
Page 2 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon