The mantra within security circles this year has been to strengthen enterprise-level authentication to stanch the flood of data thefts enabled by dictionary attacks and increasingly clever phish scams. But a new vendor-sponsored survey suggests not all companies can manage a more complex system.
"Phishing and identity theft get a lot of play, but it's still limited to certain groups of companies, such as those in the financial industry. For the rest of companies, it's still primarily people asking, 'How do I protect my business and my remote access employees?'" said Sally Sheward, vice president of product marketing and business development for San Mateo, Calif.-based TriCipher Inc.
TriCipher, whose product offerings strengthen
Meantime, others are advocating a simpler approach to password management. Cryptographer Bruce Schneier last month wrote on his popular security blog that writing down passwords was not a bad idea. "This is good advice, and I've been saying it for years," he wrote. "Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
The statement came after a Microsoft senior program manager, Jesper Johannsen, told delegates at an Australian security conference that companies should not ban employees from writing down their passwords. "I have 68 different passwords," Johannsen said at the conference. "If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password."
Among the results from the Tricipher survey, based on 58 respondents working for Fortune 2000 and government agencies:
- 68% said the biggest business risk associated with authentication security failures were reputation costs, along with lost productivity during downtime. The high percentage may reflect the spate of companies who've been forced to disclose huge data thefts since February. "If we do this again in a few months, I think that number is going to go up," Sheward said.
- 54% reported their employees had been phished, compared to 32% of customers. Sheward admitted the response created more questions about how people interpreted that query. She did, however, note a new trend in which phish attacks pose as e-mails from a company's human resources department asking for employee usernames and passwords to access corporate networks.
- 44% name password-related vulnerabilities as their biggest authentication threat.
- Half identified remote users as their major authentication issue today.
- 56% said their existing authentication system was too hard to use, manage or integrate with other systems.
- 48% cited cost as the main barrier to implementing stronger authentication.