Password imperfect

(continued from previous page)

implementation can be expensive, costing companies tens of dollars per employee. Centralized identity management systems cut costs and add security. For the most part, two-factor authentication just adds cost, said Charles Fitzgerald, Microsoft's general manager of platform strategies.

"The move we made was driven by a security perspective, not an operational-cost perspective," he said.

In its internal push, Microsoft is piloting its own technology: It's using .Net-enabled smart cards provided by Axalto, formerly known as Schlumberger. That puts .Net, Microsoft's software platform for running software on any device, back into competition with Sun Microsystems' JavaCard software for smart cards.

The smart-card push comes after Microsoft has made a few missteps in the identity management arena. Its pint-size Windows CE for Smart Cards operating system failed to attract developers. On top of that, its Passport service, a foray into online consumer identity management, did not win over enough service providers to become useful.

Fears about e-commerce fraud are adding momentum to the smart-card drive. The password issue is a lurking iceberg, and e-commerce sites, financial institutions and other large companies have only seen the tip of it, said Prakash Ramamurthy, vice president of products and technology for Oblix, a maker of identity management systems. Consumers and employees have multiple accounts holding personal information, and an attacker only has to find the one with the weakest security.

"Identity is one thing that is being duplicated," Ramamurthy said. "And when you have that information more than once, you have a security hole."

For the moment, Microsoft's plugging of that hole in its internal systems is not being carried over to its technology for consumers. People with password worries will have to wait and see whether the company puts any provisions in place in its software.

"Enterprises are more willing to invest to solve the problems," Microsoft platform strategist Fitzgerald said. "On the consumer side, I am not saying that we are doing nothing in that space, but the things that we have talked about over the last few weeks have little to do with consumers."

To complex

I think it costs to much and is to hard to implement a system like this. Having users use complex passwords and change their passwords more often is better. If you use random generated password from Quicky Password Generator or easier to remember ones from software like Password Inspiration then your users will have secure passwords. Plus they won't have to have the expense of the smart card infrastructure.

Hype

The vulnerability of passwords is vastly overstated time and again by analysts pointing out how easily a fast machine can guess passwords. That's true - with the speed of contemporary machines, even a brute force crack is quite feasible. But it is also the easiest thing in the world to prevent. Password policies that screen common words and variations on personal data, and then administratively lock out a password after a number of failed attempts make even modestly complex passwords secure against "cracking."

The real weakness of passwords is that people write them down in obvious places, thus subjecting them to visual theft, or share them with family or colleagues, thus compromising the system. Smart cards address this by forcing people to retain posession of a physical token. While arguably more secure in most respects, it raises its own issues, including theft of cards or card contents, and for the forgetful, unintentional lockouts when they don't have their card with them.

Password manager is the answer

A simple, low cost solution is the use of password managers which are capable of generating complex passwords when users need to fill up sign up forms. Then they track password usage and fill them in when needed with a built in form filler. Some (see http://www.protecteer.com for one) are even capabale of protecting agains phishing scams.
Password mamagers do ot require any infrastructure changes and are easy to deploy.

[Ubber geek]

protecting agains phishing

http://www.analogstereo.com/dual_action_cleanser.htm

[David Arbogast]

Smart Cards are Nice

Our organization is in the process of rolling out more than 100,000 smart cards to employees companywide. I for one, think that they are great. With a single-sign-on solution at the office, the smart card practically eliminates the need for employees to create, change, or remember usernames and passwords. Since we carry ID cards anyhow, and use them to access various buildings, the integration of the "smart" chip was logical and created no additional carry requirements. Security is enhanced, and users have less responsibility. I would encourage others to look into similar solutions.

bleh

In the end I doubt these cards will make much headway. It is an expensive proposition that has yet to be proven more secure then using passwords properly.

I am these cards will replace passwords on a wide scale, right after MS secures its products, which clueless bill thinks will happen in the next 2 years. Ha!

Won't make too much of a difference

Smart cards may be a step to slightly tighten security, but I
would only recommend them for companies. Here are a few
problems with them:

1. Most exploits in no way involve brute forceing passwords, or
getting them through social engineering. They simply exploit
design flaws in programs running on the box.

2. Phishing will work just as well. Smart cards in no way stop
phishing attacks, just change the information gathered. Instead
of tricking you into typing in your password, phishers would just
have you swipe your card.

3. Passwords are stored in your memory. Smart cards are stored
in your wallet. Which one do YOU think is easier for potential
crackers to obtain? Especially if it is an inside company job - The
insider swipes sysop's card, and owns the network.

hmmm... good thinking Gates.