September 14, 2005 11:06 AM PDT

Companies urged to move beyond passwords

Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned.

Speaking at the Gartner IT Security Summit in London on Wednesday, Ant Allan said that "passwords are no longer adequate, as threats against them increase."

Those emerging threats are intimately linked to emerging technology such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.

Previous story
Microsoft security guru: Jot down your passwords
Jesper Johansson says the security industry has been giving out the wrong advice on passwords for 20 years.

The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, a Gartner research vice president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."

The future of authentication is "something stronger," Allan said. "RSA security tokens, smart cards and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.

Some security experts have been urging companies to use two-factor authentication--where users present a second form of identification as well as their password--for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two-factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

"We are finding that European companies are more accepting of the higher cost of these solutions, while the U.S. back away because they don't want to burden users (with complex procedures)," Allan said.

Less-expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.

Colin Thompson, vice president of enterprise sales at security company Aladdin, agreed that companies will need to start tying in some kind of physical ID with digital ID.

"To access your bank account, you need a bank card and PIN," he said. "If you lose that card, you know your security has been compromised. We need some kind of smart card or certification, because individual users in companies are still at risk.

"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."

The risk of passwords being compromised is becoming greater and greater because it's becoming easier to download tools that will crack them, said John Girard, another Gartner analyst.

"The 'Magical Jellybean' tool is downloadable, and will find your license key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.

"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.

The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, Girard said.

Tom Espiner of ZDNet UK reported from London.

7 comments

Join the conversation!
Add your comment
They've been saying this for years
Passwords will be around for a long time.
Posted by bobby_brady (765 comments )
Reply Link Flag
...and should be around.
You *might* be able to crack one of my passwords for a RAR file, if you had a week to do it and better hardware than I currently own. This is assuming you get past all of the other safeguards I employ at home.

Passwords do work, properly implemented and sufficiently complex. What doesn't work is policies that force compromises: asking me to generate new complex passwords every 90 days for over a dozen discrete systems forces me to write them down. Because I need them every day, that location has to be convenient. Paper is REAL convenient, people.

-Remo
Posted by Remo_Williams (488 comments )
Link Flag
Of course, with only one ID & Password
it sure makes it easy for someone to get into everything once they
figure out how to hack it
Posted by (1 comment )
Reply Link Flag
For those who care about American IT and our national security
This is a MUST reading for those who care about the future of American IT and our national security (see the link): <a class="jive-link-external" href="http://www.alexanderbell.us/Initiative/IT.htm" target="_newWindow">http://www.alexanderbell.us/Initiative/IT.htm</a>
Posted by 207796398873175208235380528963 (53 comments )
Reply Link Flag
Who can Afford Two Factor and Infrastructure?
We have been tangling with different vendors for two factor authentication for ~10,000 users. But with the costs for the simplist solution costing us a minimum of $250,000 to $500,000 how can we afford it. Although we realize the implications and limitions of password authentication we are also realists.
Beyond the fiscal costs are the training, helpdesk, and ongoing maintenance costs.

Bottom line: Until smartcard token vendors can get their products to an affordable level as to afford the other costs involved it is almost an impossible sell to administration.

Fred Dunn
Posted by fred dunn (793 comments )
Reply Link Flag
How Companies urged to move beyond passwords
How Companies urged to move beyond passwords

Mr. A.T. Alishtari, POA and Founder EDI Secure LLLP, says passwords are passe' if you consider that they can be phished, hacked, trojan horsed, pharmed, robot takeover or any number of possibilities beyond the mind's imagination.

Still keeping the swipe offline is the best way to protect consumers using the single use credit card number patent that this Company owns for the US only. Some things are easier than others.
Posted by (66 comments )
Reply Link Flag
To update Mr. Alishtari's comment please note this now...
In January 2006, EDI Secure LLLP was purchased by IDPixie LLC. IDPixie LLC now owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. This update this patent's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.