Password imperfect

For years, Microsoft has hammered away at the security flaws in its desktop operating system. Now the company is looking to plug another security hole: weak passwords.

People tend to choose easy-to-remember passwords--which means they're easy to crack. Even complex passwords can be stolen. They've moved from a security measure to a security risk, says Microsoft Chair Bill Gates, who for the past year has been publicly urging customers to stop relying on passwords.

Last month, the software giant set an example for those customers when it kicked off a big push to adopt a second security measure for its internal networks: smart cards for every employee. By the end of 2005, tens of thousands of telecommuting Microsoft employees will be issued the cards, which will be required to log on to the company's networks.

News.context

What's new:
Microsoft is giving telecommuting employees smart cards to alleviate the security risks of weak passwords on its internal networks.

Bottom line:
It's not the first time Microsoft has got behind smart cards for security. But this time, factors such as compliance and the Sept. 11 attacks mean companies are sold on security.

More stories on this topic

"Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this," Gates told attendees at the IT Forum in Denmark last month. "In time, we will completely replace passwords."

This isn't the first time Microsoft has got behind smart cards as a second line of protection for businesses. But this time, companies have already been sold on security. Organizations have been made more aware of the danger of passwords by a new set of concerns, such as the terrorist acts of Sept. 11 and Enron-inspired regulations that require companies to account for information security.

To help lock down their networks, many companies are moving to centralized servers for handling the authorization of people attempting to access a network--whether employees entering a corporate system or shoppers logging in to an e-commerce site. These identity management systems make network management more simple, but they also put the most valuable network data in a single place--guarded by a password.

A simple system of a log-on name and a password, no matter how complex, cannot guarantee that an unauthorized user will be prevented from getting access to critical systems.

Passwords chosen by an individual are generally very easy for a machine to guess. Common variations are: a word followed by numbers, two words together, or a word with a number replacing a letter. All can be broken within minutes by the latest password-cracking programs.

Doubling down on security

The smart card Microsoft is adopting is not the only option for companies looking to add security to their network login.

Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET News.com

"Any password that we can expect people to remember can be brute-forced," said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security.

Consumers are worried as well. Phishing attacks--scams that use e-mail messages and fake Web sites to fool victims into giving up personal information--will likely cost home users between $150 million and $500 million, according to two estimates.

In addition, surveys of home PCs have found as many as 80 percent infected with spyware--software that surreptitiously reports on a computer user's habits and data.

Both trends highlight a major problem with passwords: Even the best password can be stolen. A digital thief armed with the password would likely appear to be the legitimate system user.

The solution, security experts say, is to use two checks to protect systems--what's known as two-factor authentication. This combines a security device that people need to keep with them--such as a smart card--with a password or secret personal identification number, or PIN, to protect against unauthorized access.

Such security is routinely used by the military and by government agencies.

The U.S. Department of Defense has rolled out a Common Access Card to most personnel, and the Transportation Security Administration has started prototyping its Transportation Workers Identity Card and hopes to have the smart cards issued to 200,000 cargo and transportation workers by June 2005.

In its case, Microsoft hopes to tackle the insecurities posed by more than 60,000 employees and contractors who connect to its network through 175 different remote access points worldwide. That kind of

To complex

I think it costs to much and is to hard to implement a system like this. Having users use complex passwords and change their passwords more often is better. If you use random generated password from Quicky Password Generator or easier to remember ones from software like Password Inspiration then your users will have secure passwords. Plus they won't have to have the expense of the smart card infrastructure.

Hype

The vulnerability of passwords is vastly overstated time and again by analysts pointing out how easily a fast machine can guess passwords. That's true - with the speed of contemporary machines, even a brute force crack is quite feasible. But it is also the easiest thing in the world to prevent. Password policies that screen common words and variations on personal data, and then administratively lock out a password after a number of failed attempts make even modestly complex passwords secure against "cracking."

The real weakness of passwords is that people write them down in obvious places, thus subjecting them to visual theft, or share them with family or colleagues, thus compromising the system. Smart cards address this by forcing people to retain posession of a physical token. While arguably more secure in most respects, it raises its own issues, including theft of cards or card contents, and for the forgetful, unintentional lockouts when they don't have their card with them.

Password manager is the answer

A simple, low cost solution is the use of password managers which are capable of generating complex passwords when users need to fill up sign up forms. Then they track password usage and fill them in when needed with a built in form filler. Some (see http://www.protecteer.com for one) are even capabale of protecting agains phishing scams.
Password mamagers do ot require any infrastructure changes and are easy to deploy.

[Ubber geek]

protecting agains phishing

http://www.analogstereo.com/dual_action_cleanser.htm

[David Arbogast]

Smart Cards are Nice

Our organization is in the process of rolling out more than 100,000 smart cards to employees companywide. I for one, think that they are great. With a single-sign-on solution at the office, the smart card practically eliminates the need for employees to create, change, or remember usernames and passwords. Since we carry ID cards anyhow, and use them to access various buildings, the integration of the "smart" chip was logical and created no additional carry requirements. Security is enhanced, and users have less responsibility. I would encourage others to look into similar solutions.

bleh

In the end I doubt these cards will make much headway. It is an expensive proposition that has yet to be proven more secure then using passwords properly.

I am these cards will replace passwords on a wide scale, right after MS secures its products, which clueless bill thinks will happen in the next 2 years. Ha!

Won't make too much of a difference

Smart cards may be a step to slightly tighten security, but I
would only recommend them for companies. Here are a few
problems with them:

1. Most exploits in no way involve brute forceing passwords, or
getting them through social engineering. They simply exploit
design flaws in programs running on the box.

2. Phishing will work just as well. Smart cards in no way stop
phishing attacks, just change the information gathered. Instead
of tricking you into typing in your password, phishers would just
have you swipe your card.

3. Passwords are stored in your memory. Smart cards are stored
in your wallet. Which one do YOU think is easier for potential
crackers to obtain? Especially if it is an inside company job - The
insider swipes sysop's card, and owns the network.

hmmm... good thinking Gates.