Comments on: Password imperfect

Microsoft is leading by example in its push to ease the security risks posed by passwords.

To complex

I think it costs to much and is to hard to implement a system like this. Having users use complex passwords and change their passwords more often is better. If you use random generated password from Quicky Password Generator or easier to remember ones from software like Password Inspiration then your users will have secure passwords. Plus they won't have to have the expense of the smart card infrastructure.

Hype

The vulnerability of passwords is vastly overstated time and again by analysts pointing out how easily a fast machine can guess passwords. That's true - with the speed of contemporary machines, even a brute force crack is quite feasible. But it is also the easiest thing in the world to prevent. Password policies that screen common words and variations on personal data, and then administratively lock out a password after a number of failed attempts make even modestly complex passwords secure against "cracking."

The real weakness of passwords is that people write them down in obvious places, thus subjecting them to visual theft, or share them with family or colleagues, thus compromising the system. Smart cards address this by forcing people to retain posession of a physical token. While arguably more secure in most respects, it raises its own issues, including theft of cards or card contents, and for the forgetful, unintentional lockouts when they don't have their card with them.

Password manager is the answer

A simple, low cost solution is the use of password managers which are capable of generating complex passwords when users need to fill up sign up forms. Then they track password usage and fill them in when needed with a built in form filler. Some (see http://www.protecteer.com for one) are even capabale of protecting agains phishing scams.
Password mamagers do ot require any infrastructure changes and are easy to deploy.

[Ubber geek]

protecting agains phishing

http://www.analogstereo.com/dual_action_cleanser.htm

[David Arbogast]

Smart Cards are Nice

Our organization is in the process of rolling out more than 100,000 smart cards to employees companywide. I for one, think that they are great. With a single-sign-on solution at the office, the smart card practically eliminates the need for employees to create, change, or remember usernames and passwords. Since we carry ID cards anyhow, and use them to access various buildings, the integration of the "smart" chip was logical and created no additional carry requirements. Security is enhanced, and users have less responsibility. I would encourage others to look into similar solutions.

bleh

In the end I doubt these cards will make much headway. It is an expensive proposition that has yet to be proven more secure then using passwords properly.

I am these cards will replace passwords on a wide scale, right after MS secures its products, which clueless bill thinks will happen in the next 2 years. Ha!

Won't make too much of a difference

Smart cards may be a step to slightly tighten security, but I
would only recommend them for companies. Here are a few
problems with them:

1. Most exploits in no way involve brute forceing passwords, or
getting them through social engineering. They simply exploit
design flaws in programs running on the box.

2. Phishing will work just as well. Smart cards in no way stop
phishing attacks, just change the information gathered. Instead
of tricking you into typing in your password, phishers would just
have you swipe your card.

3. Passwords are stored in your memory. Smart cards are stored
in your wallet. Which one do YOU think is easier for potential
crackers to obtain? Especially if it is an inside company job - The
insider swipes sysop's card, and owns the network.

hmmm... good thinking Gates.