Home > Uncategorized > Passwords, Passwords, Passwords

Passwords, Passwords, Passwords

Trying to check my leave balance on a Web site operated by the provider High Tower uses for personnel administration and payroll. I just attempted to log in to an account set up by this provider. My password did not work. Frankly, I cannot even remember the name of this account, let alone what the password is. Why? I am certain that it is because I have so many accounts, some that I use in connection with my job, others that I use for Internet access through two Internet service providers (ISPs), still others that I use for things such as frequent flyer programs, more that I use for additional rewards and discount programs, yet others that I use for access to accounts set up by organizations for which I write papers and book chapters, and, finally, others that I use for stock broker accounts.

Frankly, I do not even have a chance of getting any password right except for the primary accounts that I use at work and my ISP accounts. I hesitate to write down any passwords on slips of paper because in information security doing so is taboo, and I am also reluctant to use the same password for more than one account because of the risk of a break-in into one account resulting in easy unauthorized access to other accounts. I could, I suppose, choose a base password and then add characters to it based on the particular account in question, e.g., <generic_password>borders for an account at Borders Books, but then I would almost certainly forget what the account name was anyway. I suspect that the only viable solution for someone like me is a tool such as Password Vault™, which allows a user to store all passwords for all accounts in one place. The user must remember only a master password. As good as Password Vault™ appears to be, however, I wouldn’t count on my purchasing and installing this tool any time soon.

The real solution to the underlying problem, namely that organizations are still relying on password-based authentication, is doing away with passwords altogether. True, there are several advantages associated with using passwords. For one thing, many systems and applications are password-dependent; changing the authentication method may be possible, but it could prove to be expensive and complicated. Furthermore, passwords are at least by superficial appearances easy to assign and administer. But I suspect that the main reason that password-based authentication is so much alive and well is that everyone, users very much included, is used to them. Passwords, after all, have been used for access to systems for as long ago as nearly a half century.

What people who still defend the use of passwords in authentication and authorization too often forget is the many associated liabilities. Passwords are extremely crackable; doubters should obtain and run a copy of a powerful password cracking tool such as Rainbow Crack, something that is a truly eye opening experience for the uninitiated. Also, conventional passwords are static credentials. As such, they are subject to being sniffed over the network or captured by keystroke and tty sniffing tools. Additionally, the effort involved in password administration runs up IT costs in organizations much more than people realize. One of the major reasons for help desk functions is in fact the need to reset forgotten or expired passwords. Finally, as I have previously mentioned, remembering and caring for passwords for multiple accounts is very arduous.

Good alternatives to password-based authentication exist. Tokens, biometrics, smart cards, and picture identification are just a few. Major hurdles include cost, useability (which is less than optimal with some of these methods), cost (purchase and maintenance), having to modify systems and applications to accommodate new authentication and authorization methods, and disruption of the status quo in the IT environment. The downsides can, however, often be easily offset by numerous advantages, of which considerably stronger authentication that results in fewer and less costly security breaches is one of the greatest. Additionally, help desk costs may diminish considerably if a suitable alternative form of authentication and authorization is chosen and the procedures associated with it are well-designed. In one fortune 500 company the information security manager proposed that smart chips embedded in employee badges be used for authentication and authorization in all company computing systems. He successfully made his case to senior management by pointing out just how high the cost of assigning and resetting passwords was. Embedding chips in badges did not really inconvenience employees because they were already required to bring their badges with them and use them to enter this company’s premises. System and application administrators were required to change settings to terminate new sessions that were authenticated with the same smart card used to authenticate another current session, thereby greatly attenuating the problem of smart cards being loaned to employees.

The problem of gaining access to systems and applications that cross organizational boundaries is, however, much more formidable. For example, for several years Microsoft touted Windows Passport, in which a single password could be used in a wide variety of Internet transactions. Passport, however, never caught on with the public. Certain credit card companies are experiencing somewhat greater success; they are embedding smart chips in the credit cards that they issue. Major downsides include the financial expense and effort involved in widespread dissemination and maintenance of smart card readers as well as some usability liabilities.

Regretfully, however, there is no easy solution to the problem of liabilities in connection with users having to use passwords, let alone multiple passwords. Hopefully, better solutions than are currently available with emerge in time.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.