THE PROBLEM WITH PASSWORDS
Yanki Margalit
Chairman and CEO
Aladdin Knowledge Systems, Ltd. (Nasdaq:ALDN)
Security
in general – and the authentication of users in particular – are critical
components in enabling business and protecting sensitive corporate information.
Today, passwords are the primary tool for user authentication – a term
which essentially means “are you who you say you are?”
Once, access to important applications was given via passwords as easy
as open sesame. But in the Internet age, granting access via phrases can
be the harbinger of bad news.
Why a Password Isn't Good Enough
Unfortunately, passwords come with their own set of issues. Passwords
can be easily stolen, lost, shared or cracked. Due to the need to manage
multiple passwords and to ensure the effectiveness of passwords used,
organizations have adopted stringent password policies. This has translated
into more complex passwords and consequently, made them more difficult
to remember. “Passwords remain a fundamental security weakness,"
Gartner wrote in a recent report on system security, noting that this
was "regardless of the strength of the password policy.”
(Gartner Report, “Assess Authentication Methods for Strong System Security,"
August 2004)
The human factor plays a major role in password effectiveness. ATMs, the
web, cell phones, PCs – the need to authenticate never ends. To cope,
users are writing their passwords down, leaving them lying around here
and there, or using obvious passwords. It comes as little surprise that
for his/her computer alone, a typical user can have more than ten passwords!
In any case, chances are that most computer users are actually compromising
the security they were meant to improve – rather than being the guardian
of the gateway they once were, passwords today frequently become the key
to unsecured access.
And that's without considering the crackers. Whether for kicks, or for
profit, they're out there, looking for ways in. As Gartner boldly put
it in another recent report, "Passwords are no longer good enough
for PC security." Computer capabilities have advanced so much, they
say, that what once were "strong passwords" are now falling
victim to "inexpensive computer cracks."
One method of password cracking is called a “brute force” or “dictionary”
attack. In this type of attack, a computer runs all possible password
combinations until it finds one that matches the password's "hash,"
or the signature into which it has been encoded and encrypted.
A lost or stolen PC or laptop can give crackers access to a lot more than
just what is on that specific computer. Gartner notes that it is a real
possibility for crackers to extract administrator passwords from PCs,
theoretically opening access to other systems within the IT infrastructure.
Another issue is cost. Not only are passwords unsecure, they are also
expensive to manage. Dealing with a user forgetting his/her password(s)
may seem minor, but in actuality, it is no matter of chump change – a
1,000 employee organization can spend $150,000 a year or more on password-related
help desk calls.
So, What's a Security-Minded Enterprise to Do?
There are, according to Gartner, two basic recommendations for increasing
security while reducing password issues:
Utilize Strong 2-Factor Authentication: Combine passwords or PINs
with another authentication method, such as a hardware token.
Implement Password Management: Avoid or at least alleviate technical
and procedural weaknesses by using a comprehensive password management
system.
(Gartner Report, “Assess Authentication Methods for Strong System Security,”
August 2004)
When we say strong authentication, what exactly is it that we're talking
about?
Authentication itself is composed of two steps: a user asserts his identity,
by providing a user name or other ID; then, the user provides authenticating
information, such as a password, which the system recognizes.
But authenticating information does not necessarily
have to be in password form, though that is most commonly used. Following
are the common “factors” of authentication:
• Something you know
– e.g., a password or PIN.
• Something you have
– e.g., an ATM card, smart card, or hardware token.
• Something you are —
e.g, fingerprint or voiceprint (also known as biometrics).
Strong authentication, then, is the end-result of a combination of two
or more of the above methods, dramatically improving network security.
For enterprise security, the most popular and effective form of strong
authentication has come from hardware tokens. The first generation of
these tokens, developed in the 80’s, consisted of small devices that generated
a constantly changing password. These traditional tokens are known as
one-time password (OTP) tokens.
As the needs of enterprises to support multiple applications and more
complex environments has grown, traditional OTP tokens no longer are sufficient
for many needs. Many organizations are moving to Public Key Infrastructures
(PKI), which provide an advanced framework for both protecting the integrity
of the organization’s data, and also offer digital signatures for trusted
e-business and e-commerce.
The next generation of hardware tokens includes USB smart cards or tokens,
which offer the same security benefits as traditional smart cards, but
without requiring readers, as they simply slip into a computer's USB port.
These innovative tokens are being adapted by companies around the world,
since with one device and one infrastructure they can support their business
and security objectives – whether it’s secure remote access for employees;
logging securely on to the network; secure access to web portals for partners
and customers; ensuring that data on a laptop is safe from prying eyes,
and much more.
By implementing strong user authentication solutions,
companies enable their customers, partners, and employees to boost their
productivity by using business applications wherever they are – in the
office, at home, or on the road.
>>Aladdin Archive
Yanki
Margalit is the founder, chairman and chief executive officer of Aladdin
Knowledge Systems, Ltd. In 1984, he designed and developed several products
in the areas of artificial intelligence and software security, founding
Aladdin to market them.
Mr. Margalit then introduced HASP, a system offering software protection
without inconveniencing legitimate users. In 1993, Mr. Margalit took Aladdin
public on the NASDAQ stock exchange, and in 1996 he brought about the
merger of Aladdin with FAST Software Security in Germany. Aladdin acquired
eSafe Technologies in 1998 and Preview Systems in 2001.
Today, Aladdin is a global leader in the software and Internet security
market, living up to its mission of "Securing the Global Village."
Visit the Aladdin website at
www.Aladdin.com to
learn about Aladdin products and how you can use them to protect yourself
and your organization.
|