News Stay informed about the latest enterprise technology news and product updates.

The latest play on passwords

A new survey of Fortune 2000 companies and government agencies suggests stronger authentication is not being widely embraced because of complexity and costs.

The mantra within security circles this year has been to strengthen enterprise-level authentication to stanch the flood of data thefts enabled by dictionary attacks and increasingly clever phish scams. But a new vendor-sponsored survey suggests not all companies can manage a more complex system.

"Phishing and identity theft get a lot of play, but it's still limited to certain groups of companies, such as those in the financial industry. For the rest of companies, it's still primarily people asking, 'How do I protect my business and my remote access employees?'" said Sally Sheward, vice president of product marketing and business development for San Mateo, Calif.-based TriCipher Inc.

TriCipher, whose product offerings strengthen

Related links:

A hodgepodge approach to verifying Web users


Fewer conducting financial transactions online for fear of ID theft


Who should be on (and off) the hoof for ID theft


password policies by issuing multiple types of credentials from a single infrastructure, conducted an online survey in June to find out what was foremost on large enterprises' minds. To the company's surprise, stronger authentication, while acknowledged as important, was not universally embraced because of its complexity. "User adoption was a big issue because a lot of types of authentication are difficult for people. You have to carry something or take extra steps in the authentication," Sheward said. Similarly, companies saw added layers of authentication as also adding expense and difficulty for network security managers.

Meantime, others are advocating a simpler approach to password management. Cryptographer Bruce Schneier last month wrote on his popular security blog that writing down passwords was not a bad idea. "This is good advice, and I've been saying it for years," he wrote. "Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

The statement came after a Microsoft senior program manager, Jesper Johannsen, told delegates at an Australian security conference that companies should not ban employees from writing down their passwords. "I have 68 different passwords," Johannsen said at the conference. "If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password."

Among the results from the Tricipher survey, based on 58 respondents working for Fortune 2000 and government agencies:

  • 68% said the biggest business risk associated with authentication security failures were reputation costs, along with lost productivity during downtime. The high percentage may reflect the spate of companies who've been forced to disclose huge data thefts since February. "If we do this again in a few months, I think that number is going to go up," Sheward said.
  • 54% reported their employees had been phished, compared to 32% of customers. Sheward admitted the response created more questions about how people interpreted that query. She did, however, note a new trend in which phish attacks pose as e-mails from a company's human resources department asking for employee usernames and passwords to access corporate networks.
  • 44% name password-related vulnerabilities as their biggest authentication threat.
  • Half identified remote users as their major authentication issue today.
  • 56% said their existing authentication system was too hard to use, manage or integrate with other systems.
  • 48% cited cost as the main barrier to implementing stronger authentication.

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.