February 23, 2005 4:00 AM PST

Finding a replacement for passwords

Related Stories

Password imperfect

December 9, 2004

Gates: Passwords passe

November 16, 2004

Gates predicts death of the password

February 25, 2004

Passwords: The weakest link

May 22, 2002
As online scams get more sophisticated, passwords are becoming hopelessly outmoded--as passe as floppy disks.

Yet many businesses and nearly all consumers still rely on passwords as the primary means of verifying who they say they are.

At last week's RSA security conference, Microsoft Chairman Bill Gates sounded once again his well-worn call for an end to passwords, while on the show floor, companies touted gadgets to help verify identity.


Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET News.com

There's plenty of technology that could augment or replace the password, from smart cards to password-generating tokens to cell phone-based systems. They have yet to catch on. One hurdle is that it can be inconvenient to have to keep a piece of hardware handy. But the real problem, analysts said, is that neither businesses nor consumers appear ready to pay for them.

"Every bank I talk to doesn't want to hand out tokens," Gartner analyst Avivah Litan said. "They're too expensive."

The cost of such a service is not insignificant. For instance, companies that have signed up for RSA Security's corporate hardware tokens pay on average $35 to $40 per employee as part of an annual service deal. However, a consumer service could cost a bank or other online service provider far less, if they hand out hundreds of thousands or millions of the gadgets.

Passwords are seen by many experts as a weak link in the security chain. A well-circulated research paper from 1979 noted that a significant share of passwords could be easily guessed in less than 5 minutes--and that was when punch cards were popular.

Web stores, online banks and other companies doing business on the Internet recommend that customers choose a password that is easy for them to remember but hard for someone else to guess. The reality is that the converse is usually true. Few of us can remember all of our passwords, and yet the bad guys, armed with sophisticated software, can crack most passwords in a matter of minutes.

RSA's SecurID token, which generates a one-time password (OTP) every few seconds, is only one of the hardware products on the market that aim to bolster security for consumers. Credit card-size smart cards slot into a reader and can be part of two-factor authentication. In this system, two ID elements--the smart card and a personal identification number, for example--are used to monitor access. A USB token works like a smart card, but plugs directly into a PC, instead of into a special reader. Another system sends one-time passwords via text message to a customer's registered cell phone.

The biggest factor pushing companies to pay for something better than passwords are the concerns around identity theft and phishing--Internet fraud in which people are fooled into giving their personal information, such as online banking passwords, to thieves. If something more than a password was needed to get access to financial records, it would be trickier for crooks to profit from such schemes.

"We want to add significantly more protection for our users and are looking at stronger authentication for passwords," said Adam Joffe, chief technology officer for Sony Online Entertainment, at an RSA Conference 2005 panel discussion.

Last week at the show, RSA Security announced plans for a hosted SecurID service where companies can add a layer of extra security for consumers. E*Trade Financial is among those that is trying out the

CONTINUED:
Page 1 | 2 | 3

7 comments

Join the conversation!
Add your comment
Replacement for Passwords
So you think that getting rid of passwords, and using "tokens" will soleve the secrity problem?
Guess again. You must know that certain cars use something similar for ignigiion - and guess what:
the new electronic keys (or tokens) can be stolen, or duplicated. there is a fine balance between security via passwords, and (the next step in invading our privacy) tagging everyone with a chip. Is that to be your next suggestion, when the token do not work? Proper programing, that will not accept "easy to guess" passwords, is still the most "livable" way to go - along with ogther good policing/security measures. The limits of other means of programming and electonic based means have not even been scratched. Those in the related (secutity)fields (internet, ect.) have yet to make the effort to control spam and viruses that could be done. Where I work, we get in excess of 50,000 spam emails a day, and while thiose in charge of Internet security excuses themselves by saying that they cannot trace the originator, it does not even enter their mind, to go after those who pay the spamers to send out the adds. that is only an example of a related kind of problem. It seem that it is easier to creat another, money making gadget(?)??????
....that's my take on this
...Steve
Posted by stevezd (9 comments )
Reply Link Flag
Gosh, I Know---
How about something like a "...National BIOMETRIC ID-Card" with "intregal RFID" (or some equivalent electronic verification)? It could be required for every citizen to have one, ...just like the 'REAL-ID plan' already approved by the Senate (which, by the way, is being desperately pushed-forward by the 'Whitehouse')?

A citizen could insert their "ID" every time they 'booted' their "...Trusted PC" (in fact, within the "Trusted Computer" architecture it could quickly be made virtually impossible to use a PC without it).

And best of all, by requiring "positive ID" to use the Internet, "WE" could, finally, eliminate "fraud", "copyright-violation", "anonymous speech", etc., ...or even, that most dreaded malady, "privacy" itself.
Posted by Gayle Edwards (262 comments )
Link Flag
The Market Needs More Accurate Info
There seem to be a lot of opinions in the market for user authentication, which is no surprise. What is surprising is the lack of research data to back up the opinions voiced by leading authors and research firms. Token technology is not widely understood to begin with, and influential opinions without facts behind them create greater misunderstanding.

A token is nothing like the key fobs used in a car ignition system. Think of a token as a secure secret. Instead of sharing the secret to gain access (like you do now with a password, social security number, etc.) the token uses an embedded secret (the algorithm) to generate a one-time code based on time of day or an internal counter. The only way to confirm that this one-time code is correct is to have an encrypted copy of the secret on the back-end of the system being accessed. The secret on the back-end also generates a one-time code which is compared to the code the user enters. If the codes match, the correct token is being used and access is granted. At no time is the actual secret in the open. Many of today's algorithms use 3DES - you can look it up if you are interested in cryptography but bottom line is that it has not been cracked and would not be economically feasible to try.
Posted by (1 comment )
Link Flag
PC Security
I am all for all MAKES & MODELS of pc's, including homebuilt, and custom built pc's having a thumbprint reader as a secure login device. This can be used for home & corporate pc's. This may also be used for secure web site access only when the PC is shared by the entire family there still can be the one standard password to boot the system, but parents can control Internet surfing content, chat room content, and specific files and folders via the thumb print scanner. This would prevent children from accessing porn or adult chats, keep them out of private or financial files & sites without a parents need to keep a log of all the various password used for different web sites which can be found all too easily by children or misplaced by the adult while trying to prevent the children from finding the password file/log. This is the simplest form of securing one data, and personnel computer from being accessed with out proper authorization. With todays back-up equipment & technologies this thumb reader could cause a complete data loss if tampered with. If only a similar technology could be used to prevent hacking of data through DSL, Cable, and Dial-up connection's it would be great! If a hacker or a Trojan were to access critical or protected files it would automatically cause the drive to reformat it self or crash in such a way that a recovery program or back-up program would be the only way to get the PC rebooted would vastly increase the protection of data. I give as an example people I have seen with modified scanners listening in on early analog cellular phones, cordless phones that ran in the 800mhz range, and you can be sure that there are people scanning the new 2.4ghz cordless phones. I waited until digital phones came out because they were virtually impossible to listen in on which is part of the reason the government was un-happy with most digital suppliers early on, they have now gotten this access with the GPS positioning set-up for 911 calls to allow emergency services to find the caller supposedly to as close as 10 meters or better. if you turn of this feature on most phones you loose features, so in order too keep all your services working it needs to be on.
Posted by wino460 (1 comment )
Reply Link Flag
keep a log
<a class="jive-link-external" href="http://www.analogstereo.com/renault_laguna_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/renault_laguna_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Password imperfect
Passwords are no longer the hard codes to break.What maximum a normal guy can set as password?
1.His name/Nickname+123
2.His wifes name/Nickname+ilu
3.His pet's name
4.His son's or daughter's name
5.His birthdate
6.His wife;s birthdate
7.His anniversary date
8.His car number
9.His initials and emplyee number
10.His aniiversary
11..the list is long but definitley predictable

Hence even if you change your password everyday..one day or the other ..it will be hacked
Posted by (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.