Perspective: Password juggling no more?

I came to a conclusion the other day: There are far too many electronic versions of me out there.

By that I mean that I have far too many Net IDs and passwords. There's really no hope of me ever remembering them all, so I've become a case study in bad security habits. I write them down. I pick easily guessed passwords and invent ever more creative ways of spelling my dog's name. I e-mail passwords to myself. And I reuse them--over and over and over.

The world is awash in Wi-Fi zones. High-speed cable and DSL are rampant. Intel CEO Craig Barrett tells me that ubiquitous wireless access--WiMax--is just around the corner. Still, I have passwords and usernames scrawled on yellow stickies plastered to my monitor. There's something wrong with this picture.

I thought that by now, things like Microsoft's Passport would have delivered us to the promised land of federated single sign-on.

I thought that by now, things like Microsoft's Passport would have delivered us to the promised land of federated single sign-on, where we have only one password-username combo to remember, and everyone knows our name.

But Passport is in shambles. One of Microsoft's most prominent Passport partners, eBay, said just after the holiday shopping season that it would stop accepting Passport log-ins from its customers. Online job site Monster.com dropped support for Passport on Oct. 22. And a list of sites that had partnered with the software giant has vanished from the company's Web site.

Passport's demise comes even as Microsoft Chairman Bill Gates continues to tell us that passwords are evil and will soon become passe. OK, I buy that. Microsoft has kicked off a new internal system that uses smart cards to bolster security. But what about the rest of us?

Well, for businesses looking to secure internal systems and links to partners, the news is encouraging. Microsoft's one-time rival in the single sign-on technology race, the Liberty Alliance, continues to sign up software makers and big companies that pledge to build Web sites and products that support federated identification.

But the 150 Liberty members still need to build support for Liberty's specifications into products. That takes time.

Microsoft and RSA Security teamed to produce a security device called SecurID for Windows, which debuted last fall. The device generates a constantly changing sequence of numbers that a user has to type in alongside their normal password in order to log onto corporate networks.

For businesses looking to secure internal systems and links to partners, the news is encouraging.

The recent focus on regulatory compliance, thanks to things like Sarbanes-Oxley and the Patriot Act, have driven big companies to get serious about secure identity management. Technologies such as enterprise single sign-on are gaining steam to lock down intracompany communications. And central provisioning software helps take some of the manual labor and error out of granting access to corporate applications.

Since identity theft has become the fastest-growing type of crime in the United States, according to Forrester Research, it seems in the best interest of businesses--particularly online retailers--to protect consumers.

However, little has changed in the consumer area. Microsoft tells us to be patient and wait for Longhorn, which should make it easier to manage identity on desktop machines and Windows-based servers. An update coming later this year for Windows Server 2003 will include identity federation technology, but that is aimed mostly at securing business-to-business communications.

The big idea for the future of ID management is electronic smart cards that securely identify people online and allow them to have different personas, according to Microsoft's top security strategist, Scott Charney. But don't hold your breath: We're talking the future.

So where does that leave us? Juggling passwords and keeping the yellow-sticky people in business. There's got to be a better way.

Biography
Mike Ricciuti is CNET News.com's Cambridge, Mass., executive editor and bureau chief.

More Perspectives

There must be a better way - yes indeed.

Products that exist today and help in password juggling are: password managers.
Some of them (SignupShield by protecteer.com) are fine tuned to help users fight Phishing. They do so by alerting them in real-time when they are about to be "phished out - allowing them to abort submission of sensitive information"

Password managers do not completely solve the problem but they are a very good interim solution until better infrastructure is inplace.

[wahooyahoo]

Its the Money

Gates and his counterparts talk the talk, but the bottom line is money. We get protection when enough money is involved. Notice microsoft's stock prices lately??

[lauchlinmac]

Alas, Your Savior Hath Arrived

Keepass is a great FREE program to store passwords. Not only that, but it can CREATE passwords using an algorithm involving the movement of your mouse. One password to get into the program and access all of your passwords.

Another great thing if you have a thumb drive, you can store your password on the thumb drive, essentially creating a "key" to start your password database. This is an absolutely awesome program, and will allow you to send those sticky notes to yellow note heaven.

Use "Roboform"

It's a small price to pay (about $20 I think). It keeps all your usernames and passwords in one place, will generate(and then store) random passwords for you.
It has the best form filler I have seen, I don't have to fill out web forms any more when I buy something on line. It can fill in 95% of a form it has never seen before.
All protected by a master password (and I store all the Roboform data on a USB stick on my keyring, so always have it with me).
It's superb!
--
Jules
I have no connection with roboform whatsoever, am just a very happy customer.

There is a better way ...

Here at Sxip we have designed
and built a system available as Open Source that lays the
framework. Ironic that in order to comment on this story, I
needed to create yet-another-account! :)

[mwrisner]

Local Smart Access ... What About Remote?

The push is underway to control local access to workstations. But what about all those 'Net IDs and passwords? I'm not certain I want the information on my smart card explicitly sent over the Internet or WAN, encrypted or otherwise. Smarter people than me need to address this issue better.

[Itsya]

Yahoo security has been breached and they won't fix it.

It has been a while since I worked for Cable and Wireless, and even though I got a Trojan back door worm in 1999 and had to rip up my computer this is the worst disaster I have had. Please help me, my Yahoo (paid) account was hacked and Yahoo has autoresponded, and finally I got one response from a human, they have no phone access
and I am still blocked from using my account because they refuse to recognize my information so I can't change my password--therefore I can't use my account, that has all my information, address book, photos. Please help me try to figure out a way to make Yahoo accountable and get my to my account. Thanks
Isabella Hale
mustomusto@yahoo.com
(emergency back up account)

[broadacres]

Password juggling?

I came up with a simple solution which works for me. I set up an Excel file to store all my passwords and logins. Now I have to remember only the password to this file.

It's who you are, not what you have the is the only answer here

Until interfaces are available that avoid tokens and all other paraphenalia this problem will never be solved.

After all security is about a gate keeper being convinced you are who you say you are. No amount of shared secrets addresses the total weakness of token based systems including RSA's/MSFT's approach.

The only system that comes close to closing this gap is biometrics with a liveness test, ps finger prints etc fail at this. The only system I know of to do this is speech based with a liveness test. For example, say this 'phase choosen from a 10,000 work dictionary' with speaker verification.

Check out www.vocent.com.

Biometrics might be on the right path

There is a flaw though.

People get injured and voices can change and body parts lost, ect. Compare this to the current system and it is far better, but still has the danger of creating some serious problems.

[Itsya]

I suspected that wish I had looked here

That is an interesting comment,, and I have been back here looking at responses about that Hacking which I will not remove from posting ever as long as I have a breath in me,, because Yahoo never did give any reason or satisfaction and I was permanently blocked out of my account that had all kinds of important personal information
anyway I did update my name so everyone wouldn't see it,,I will think about that

You Need USBs - Universal Security Biometrics

The major problem in security is the security measure itself. You're absolutely right about too many passwords - I try to be creative with logins and passwords for each site I register, because I fear one of the sites may get hacked and my identity revealed.

The solution can only come from a universally adopted/accepted/mandated security standard - even passwords have varying degrees of security (e.g. c|net requires only 6 letter/number combinations while others require at least 1 letter and 1 number and a special character as the login and password!!)

Smart cards and biometric devices (retina scan/thumbprint ID systems) are great, but every machine that accesses the Internet or computer network needs to have the interface. Can you imagine having a retina scanner for your Web-enabled wireless phone? Actually that might not be too farfetched.

But that too opens the can of worms screaming "RIGHT TO PRIVACY!" ... "RIGHT TO PRIVACY!" The more secure you want to be, the more you have to reveal about yourself. A Catch 22 of sorts.

Well I've rambled long enough. Thanks for reading.

true

What happens if a person digital pattern of their retina gets stolen? Anything hardware can do, software can emulate. That is a possibility and really makes biometrics a small increase in security over standard passwords.

[Itsya]

I hope that happens one day

In a utopian society,, I don't think it ever will, because those security measures using biometrics are still not secure, as seen on Sci Fi, but unfortunately those scary stories about retinas and thumbs, being stolen to hack into accounts could happen one day. And I am now asking a hypothetical question? Suppose you were in charge of say, Fort Knox gold bullion,,assuming there is still gold in Ft Knox :) and you were the person with the biometric key code, and I am not specifying, what that key code is, on your body somewhere and some friends inadvertantly blabbed, on the internet or bragged about "knowing the guy/gal who has the key to all the gold in Ft Knox" ,, then a bad guy,, and obviously this is in the not too distant future found out about this, via googling, or Zabba search or background check, or zoomed in on your house using Zillow, etc,,and since this is a computer audience, you know how easy that is to do, and he comes over and extracts the biometric code from you,,arrggh
The question is would you allow yourself to accept a biometric code of that magnitude?
I know I wouldn't, now go back and substitute,
Local bank Atm, vault, safe deposit box, Jaguar car, access to your companies computers in the 'chilled vaults', etc.. any of those scenarios for Ft Knox.
I know I wouldn't so I am not sure biometrics would work, and now that threw that out there,, since I am just an ordinary person,,non geek for a living,, I don't have an answer.. I hope someone does. Thanks for reading as well, have a good one, IH

phones perhaps?

I am not a very smart person but instead of making users carry
something additional, like a biometric device or random number
generating device- wouldn't it be easier to just use something
most of us already have? like a phone perhaps. Here's a link if
this interests you http://www.sftnj.com

Federated v. Centralized Systems

What's needed is a federated identity management system, not a centralized SSO. The untold story of Passport v. Liberty Alliance is the struggle between between centralized and federated systems.
See also this piece on federated identity management:
http://news.zdnet.com/2100-1009_22-5535345.html

The way starts with a digital identity

The better way starts with a permanent digital identity for individuals. This identity isn't just for managing passwords.

It includes your email address, web presence as well as digital passport and extends to your social networking personas.

Start with a permanent email and web presence. Stop using Yahoo, AOL or Hotmail. Use a self-branding identity like that offered by PW Registry (www.pwregistry.pw) which offers 100% of the world's surnames, ethnic groups and random strings. This will provide you with an ISP independent spam-free email address and personal website.

Then layer on a digital passport from identity Commons called i-names. This will handle your single sign-on and social networking activity.

You can start using these now and never have to change your address again.

Tom

[Itsya]

Federated doh, what?

Man that sounds too complicated and confusing and I hate the word "Federated" associated with anything as personal as a password or even biometric access.. sounds scary and intrusive, but what do I know I am a mere user.. ih