Passwords are the weak link in IT security

Passwords aren't working, and replacement technologies haven't caught on. Why can't we develop a simple way to secure our data?

1 2 3 4 Page 4
Page 4 of 4

Nevertheless, the retail industry IT executive says he plans to investigate biometrics for a legacy point-of-sale system that can't be integrated with Active Directory. "Our salespeople aren't assigned to a register. Instead, there are multiple POS terminals throughout the store, so they're logging in and out often." He says he'd like to retrofit the POS terminals so employees can access the system with the tap of finger, noting that it would be an improvement over users mistyping passwords or forgetting them altogether.

Security consultant Ponemon holds some optimism for biometrics -- although he chuckles at instances like the botched Department of Homeland Security installation at the border crossing at Nogales, Ariz., where the scanner was installed upside down and failed everyone who tried it. "Implemented correctly, some biometrics systems are really cool," he says. "The Israelis have created very robust voice-recognition tools that can determine identity within a nanosecond."

He says he believes that voice recognition tools will be more viable than facial recognition, fingerprint or iris scanning systems. "People are too nervous" about having their eyes scanned, he points out.

Feldman says he's investigated almost everything under the sun. He's not bullish on biometric tools because he's seen too many of them fail. He's not keen on key fobs (which display a one-time access code after the user enters a PIN) because they have to be discarded after a few years, and because he doubts that users would report lost key fobs. And after the breach of EMC's RSA security division last year, he's not convinced that the vendor's method of displaying access codes -- on a USB-based hardware token -- is viable either.

Cellphones to the Rescue?

That doesn't mean Feldman is down entirely on device authentication, which strengthens the password updating process by using a second trusted channel of communication in addition to a primary network connection. Feldman is looking at using cellphones as the secondary channel. "Everyone's got a phone," he reasons.

Instead of an access code displaying on a hardware token, it would appear in an SMS or text message on a phone. Users wanting to log in to a data center, then, would enter both their password and the randomly generated access code received via their phone.

Forrester's Maler also likes this idea. "IT generates a new, one-time password and provisions it to the enterprise user by means of an alternate channel -- in this case, the carrier network. That's really powerful, because it's part of a password policy that forces change, and it's strong authentication because it involves something you know -- the password -- and something you have -- the computing device."

Case Western's Siu is even more enthusiastic about device authentication. "It'll keep people from sharing credentials, because for that to work, someone has to hand over their phone, and no one wants to do that," he says. The increasing popularity of smartphones improves the feasibility of this method.

Ponemon agrees, and adds that devices even smarter than smartphones may improve security. He believes device recognition technology, where the system recognizes your computer based on its IP address and other recognizable factors, will take hold, especially with security capabilities being built into processors. "It's technology that will get people in and out of systems safely," he says. "Computers with these chips will be low cost, but they'll be useful in a wide array of scenarios."

Whatever device-based technology wins, it will involve a set of checks and balances. "We'll always have password problems," acknowledges Siu. "While users always want a single place to log in, we're going to need multiple levels of authentication." He anticipates that in the future we'll carry something that authenticates us, perhaps our phone or something with an RFID tag, the just as a highway toll transponder authenticates a car at a toll booth or a key fob lets you start a Prius when it's in the vicinity.

Ultimately, even the security experts are optimistic. "We're at a turning point in the security industry," insists Ponemon. "There are lots of venture capital investments looking at this facet of security. It's a response not just to [breaches at popular sites such as LinkedIn], but to hackers in China and Russia who are looking for weaknesses."

With the threat vector high, so too is the likelihood of a successful technological response. In the meantime, IT will keep on trying to exhort users to choose stronger passwords -- and that includes their own systems administrators. As Maler relates, a recent Forrester study found that the most common administrator password for Microsoft Exchange is -- you could have guessed it -- password1.

Baldwin is a frequent Computerworld contributor.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on

Copyright © 2012 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon