Passwords are the weak link in IT security

Passwords aren't working, and replacement technologies haven't caught on. Why can't we develop a simple way to secure our data?

1 2 3 4 Page 3
Page 3 of 4

While acknowledging that neither SSO nor LDAP is perfect, Paul Capizzi, who recently left his post as vice president of IT at New York-based insurance firm SBLI USA, says they're better than the alternative. Capizzi says SBLI users generally manage up to a dozen passwords, and if they regularly call the help desk for password resets, that's a waste of time for everyone.

For that reason, most of SBLI's recent upgrades included adding LDAP and single sign-on support. "We'll never turn down the opportunity to use LDAP," he says. "We're always looking for ways to leverage that, because it increases users' performance."

One LDAP drawback: Many legacy systems can't support Active Directory, which means a separate password is still necessary for those systems.

"We still have a mixture of Windows-based applications and custom applications that were never designed to acknowledge the existence of AD," says a retail industry IT executive who asked that his name not be used. "Getting them to talk to each other is an investment of time and money, and it's not always our highest priority."

Feldman, meanwhile, points out that SSO has drawbacks of its own. "If your password gets compromised in one place, it's compromised everywhere," he says.

If an SSO system is breached by a phishing expedition, the hackers can then go to the website and try passwords to get to other parts of the system, he explains. Or they can start probing for an IP stack or a GRE (generic routing encapsulation). Instead of SSO, Feldman uses digital security certificates to limit the city's vulnerability.

Overall, SSO makes users' lives simpler and LDAP makes security administration easier. They're not perfect, sources agree, but together, they do provide some interim value.


Other highly touted security technologies continue to evolve, but at a pace that's too slow for most IT managers. And the newer technologies have flaws of their own.

For example, smart cards aren't widely deployed but are frequently used in highly secure installations. Earlier this year, however, the smart-card readers at the Department of Defense were breached by malware that sniffed the PINs on smart cards. "It was kind of like protecting a nuclear facility with a house key," says Maler.

Nor has biometrics taken off -- yet. The most extensive deployment of biometric technology is in fingerprint readers on Lenovo ThinkPads, which SBLI used for a while. It was a cool feature until the sensors got dirty and it started taking six swipes before the system recognized the user's fingerprint, according to Capizzi.

"Some people said it worked great, but others found it more annoying than typing in a password," he says, noting that the readers also made the laptops more expensive. "From a corporate perspective, I'm not sure biometrics is there yet."

1 2 3 4 Page 3
Page 3 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon