Are Passwords History?

By Jennifer deJong

July 15, 2008 —  Passwords are dangerous. They are easy to guess. Shoulder surfing—surreptitiously watching a user enter the secret code—makes them easy to steal. They are difficult for authorized users to remember, giving rise to risky behavior like listing them on Post-It notes stuck to the monitor.

Yet, according to network security experts interviewed by Systems Management News, the password—the most widespread means of policing network access—isn’t going away anytime soon. “They’re free; you can issue them in 10 seconds; everyone understands them,” said Phil Lieberman, president of Lieberman Software, which makes password and administrative management tools. “Passwords are pretty much the dominant way to go.”

Alternative ways to manage network access, such as secure ID tokens (which generate constantly changing, one-time use passwords) and smart cards (essentially digital ID cards that can be read by the computer), have been available for many years. But both methods are costlier and complicated to manage than user ID and password. They require the authorized user to keep the token or card in their possession. Smart cards add another layer of complexity because they require a third-party certifying authority to issue certificates that must be reloaded on the card, said Lieberman. “And most applications aren’t aware of how to interact with smart cards.”

What’s giving the password its longevity is not its inherent strengths compared with other methods. It’s the role it plays in two-factor authentication. As the name implies, the approach has two facets: It requires the authorized user to know something (the password) and to have something (the secure ID token or smart card).

“The [user ID] and password are not sufficient,” said Cisco solutions marketing manager Steven Song. “You need something else and that is typically a hardware token.”

Passwords aren’t really the weak link, said Rene Poot, international systems engineer for NCP, which sells virtual private network software for secure access. “It’s education around passwords. The passwords need to be chosen wisely.”

Network administrators need to put policies in place to ensure appropriate password choice and mandate frequent changes, he said. “If you give users too much freedom, they use their dog’s name. It’s important to have a password that is difficult to guess.”



Related Search Term(s): Security

Share this link: http://www.sysmannews.com/link/32538