Passwords have been part of computer operations for as long as most people can remember. But some security experts are voicing concerns about the security of passwords.
Many companies figure that they have a level of security by obscurity with passwords because they figure, who is going to perform a brute force or dictionary attack -- two methods for figuring out passwords -- against them?
"That reasoning is like not having a lock on your front door," said Sondra J. Schneider, founder and CEO of Security University Inc., a Stamford, Conn.-based security training firm. "You may think your front door is good enough, but you would have to have more insurance for your valuables [because they're eventually going to be stolen]."
Organizations still cling to using passwords for a variety of reasons, including habit, bureaucracy, inertia and "institutional consent," said William Hugh Murray, executive consultant with TruSecure Corp. "I have been after the Department of Defense to get rid of passwords for years because they are really poor security," he said at the recent e-ProtectIT conference at Norwich University, in Northfield, Vt.
Another reason why passwords are still so pervasive is concern over the alternatives. Companies worry about the infrastructure needed to use RSA Security's SecurID tokens or smart cards. Biometrics seem more like something out of a James Bond movie than something you'd see in a modern enterprise.
"Biometrics [by themselves] aren't good enough, but neither are passwords," Murray said.
The answer is going to a two- or three-factor form of identification. For decades, people have been using two-factor authentication in their everyday lives without realizing it, Murray said. Namely, using an ATM machine requires two-factor authentication because it requires something you know (a PIN) and something you have (a card).
With such a setup, the PIN doesn't have to be particularly complex or changed often for the system to be secure. One of the major hassles with passwords is that they need to be fairly long (at least six or seven characters) and complex to be even remotely secure. Plus, they also need to be changed every couple of months, a fact that impacts help desks. And users tend to forget their new passwords.
Three-factor authentication may seem severe but, for particularly sensitive accounts, it's necessary. Schneider recommends three-factor authentication for accounts that can't be repudiated. For example, an account that can authorize financial transactions would need three-factor, she said.
Perhaps the simplest alternative to passwords are SecurID tokens, which don't require a lot of investment to implement. There are also USB tokens. These can be made even more secure by binding the identity to the certificate for an extra level of authentication.
There are also smart cards (which can hold digital certificates). When someone accesses a network with a smart card, the system sends the card a random number, and the card then does a transaction and sends it back. This process allows the system to verify that the person is who he purports to be, but none of the information, if captured in transit, would be useful. A PIN can be set that goes with the card as well.
Moving beyond just passwords is not a trivial affair. Using many of the technologies will require some architectural changes, but the good news is that the prices for a lot of the technology have gotten cheaper. In some cases, companies don't have a lot of choice in the matter, given regulations like those put in place by the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), Schneider said.
Sondra Schneider is presenting a session on life after passwords at 8 a.m. PDT Wednesday at the RSA Conference 2003 in San Francisco.
FOR MORE INFORMATION:
- FEEDBACK: Are passwords becoming obsolete?
Send your feedback to the SearchSecurity.com news team.