Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned.
Speaking at the Gartner IT Security Summit in London on Wednesday, Ant Allan said that "passwords are no longer adequate, as threats against them increase."
Those emerging threats are intimately linked to emerging technology such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.
Jesper Johansson says the security industry has been giving out the wrong advice on passwords for 20 years.
The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, a Gartner research vice president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."
The future of authentication is "something stronger," Allan said. "RSA security tokens, smart cards and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.
Some security experts have been urging companies to use two-factor authentication--where users present a second form of identification as well as their password--for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two-factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."
"We are finding that European companies are more accepting of the higher cost of these solutions, while the U.S. back away because they don't want to burden users (with complex procedures)," Allan said.
Less-expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.
Colin Thompson, vice president of enterprise sales at security company Aladdin, agreed that companies will need to start tying in some kind of physical ID with digital ID.
"To access your bank account, you need a bank card and PIN," he said. "If you lose that card, you know your security has been compromised. We need some kind of smart card or certification, because individual users in companies are still at risk.
"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."
The risk of passwords being compromised is becoming greater and greater because it's becoming easier to download tools that will crack them, said John Girard, another Gartner analyst.
"The 'Magical Jellybean' tool is downloadable, and will find your license key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.
"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.
The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, Girard said.
You *might* be able to crack one of my passwords for a RAR file, if you had a week to do it and better hardware than I currently own. This is assuming you get past all of the other safeguards I employ at home.
Passwords do work, properly implemented and sufficiently complex. What doesn't work is policies that force compromises: asking me to generate new complex passwords every 90 days for over a dozen discrete systems forces me to write them down. Because I need them every day, that location has to be convenient. Paper is REAL convenient, people.
For those who care about American IT and our national security
This is a MUST reading for those who care about the future of American IT and our national security (see the link): <a class="jive-link-external" href="http://www.alexanderbell.us/Initiative/IT.htm" target="_newWindow">http://www.alexanderbell.us/Initiative/IT.htm</a>
We have been tangling with different vendors for two factor authentication for ~10,000 users. But with the costs for the simplist solution costing us a minimum of $250,000 to $500,000 how can we afford it. Although we realize the implications and limitions of password authentication we are also realists. Beyond the fiscal costs are the training, helpdesk, and ongoing maintenance costs.
Bottom line: Until smartcard token vendors can get their products to an affordable level as to afford the other costs involved it is almost an impossible sell to administration.
Mr. A.T. Alishtari, POA and Founder EDI Secure LLLP, says passwords are passe' if you consider that they can be phished, hacked, trojan horsed, pharmed, robot takeover or any number of possibilities beyond the mind's imagination.
Still keeping the swipe offline is the best way to protect consumers using the single use credit card number patent that this Company owns for the US only. Some things are easier than others.
To update Mr. Alishtari's comment please note this now...
In January 2006, EDI Secure LLLP was purchased by IDPixie LLC. IDPixie LLC now owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. This update this patent's place in the marketplace, I add the above and below data.
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Passwords do work, properly implemented and sufficiently complex. What doesn't work is policies that force compromises: asking me to generate new complex passwords every 90 days for over a dozen discrete systems forces me to write them down. Because I need them every day, that location has to be convenient. Paper is REAL convenient, people.
-Remo
figure out how to hack it
Beyond the fiscal costs are the training, helpdesk, and ongoing maintenance costs.
Bottom line: Until smartcard token vendors can get their products to an affordable level as to afford the other costs involved it is almost an impossible sell to administration.
Fred Dunn
Mr. A.T. Alishtari, POA and Founder EDI Secure LLLP, says passwords are passe' if you consider that they can be phished, hacked, trojan horsed, pharmed, robot takeover or any number of possibilities beyond the mind's imagination.
Still keeping the swipe offline is the best way to protect consumers using the single use credit card number patent that this Company owns for the US only. Some things are easier than others.
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.