December 9, 2004 4:00 AM PST
People tend to choose easy-to-remember passwords--which means they're easy to crack. Even complex passwords can be stolen. They've moved from a security measure to a security risk, says Microsoft Chair Bill Gates, who for the past year has been publicly urging customers to stop relying on passwords.
Last month, the software giant set an example for those customers when it kicked off a big push to adopt a second security measure for its internal networks: smart cards for every employee. By the end of 2005, tens of thousands of telecommuting Microsoft employees will be issued the cards, which will be required to log on to the company's networks.
Microsoft is giving telecommuting employees smart cards to alleviate the security risks of weak passwords on its internal networks.
It's not the first time Microsoft has got behind smart cards for security. But this time, factors such as compliance and the Sept. 11 attacks mean companies are sold on security.
"Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this," Gates told attendees at the IT Forum in Denmark last month. "In time, we will completely replace passwords."
This isn't the first time Microsoft has got behind smart cards as a second line of protection for businesses. But this time, companies have already been sold on security. Organizations have been made more aware of the danger of passwords by a new set of concerns, such as the terrorist acts of Sept. 11 and Enron-inspired regulations that require companies to account for information security.
To help lock down their networks, many companies are moving to centralized servers for handling the authorization of people attempting to access a network--whether employees entering a corporate system or shoppers logging in to an e-commerce site. These identity management systems make network management more simple, but they also put the most valuable network data in a single place--guarded by a password.
A simple system of a log-on name and a password, no matter how complex, cannot guarantee that an unauthorized user will be prevented from getting access to critical systems.
Passwords chosen by an individual are generally very easy for a machine to guess. Common variations are: a word followed by numbers, two words together, or a word with a number replacing a letter. All can be broken within minutes by the latest password-cracking programs.
"Any password that we can expect people to remember can be brute-forced," said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security.
Consumers are worried as well. Phishing attacks--scams that use e-mail messages and fake Web sites to fool victims into giving up personal information--will likely cost home users between $150 million and $500 million, according to two estimates.
In addition, surveys of home PCs have found as many as 80 percent infected with spyware--software that surreptitiously reports on a computer user's habits and data.
Both trends highlight a major problem with passwords: Even the best password can be stolen. A digital thief armed with the password would likely appear to be the legitimate system user.
The solution, security experts say, is to use two checks to protect systems--what's known as two-factor authentication. This combines a security device that people need to keep with them--such as a smart card--with a password or secret personal identification number, or PIN, to protect against unauthorized access.
Such security is routinely used by the military and by government agencies.
The U.S. Department of Defense has rolled out a Common Access Card to most personnel, and the Transportation Security Administration has started prototyping its Transportation Workers Identity Card and hopes to have the smart cards issued to 200,000 cargo and transportation workers by June 2005.
In its case, Microsoft hopes to tackle the insecurities posed by more than 60,000 employees and contractors who connect to its network through 175 different remote access points worldwide. That kind of
Page 1 | 2
7 commentsJoin the conversation! Add your comment