• On The Insider: Sexiest Magazine Covers of All Time
advertisementElectronics & Computers Deals here!

September 14, 2005 11:06 AM PDT

Companies urged to move beyond passwords

By Tom Espiner
Special to CNET News.com

Related Stories

Microsoft's leaner approach to Vista security

 August 29, 2005

PassMark picks up voice authentication

 August 24, 2005

Microsoft security guru: Jot down your passwords

 May 23, 2005

Mitigating identity theft

 April 14, 2005

Expert: Better ID checks won't beat fraud

 March 15, 2005

Finding a replacement for passwords

 February 23, 2005

Password imperfect

 December 9, 2004
Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned.

Speaking at the Gartner IT Security Summit in London on Wednesday, Ant Allan said that "passwords are no longer adequate, as threats against them increase."

Those emerging threats are intimately linked to emerging technology such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.

Previous story
Microsoft security guru: Jot down your passwords
Jesper Johansson says the security industry has been giving out the wrong advice on passwords for 20 years.

The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, a Gartner research vice president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."

The future of authentication is "something stronger," Allan said. "RSA security tokens, smart cards and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.

Some security experts have been urging companies to use two-factor authentication--where users present a second form of identification as well as their password--for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two-factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

"We are finding that European companies are more accepting of the higher cost of these solutions, while the U.S. back away because they don't want to burden users (with complex procedures)," Allan said.

Less-expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.

Colin Thompson, vice president of enterprise sales at security company Aladdin, agreed that companies will need to start tying in some kind of physical ID with digital ID.

"To access your bank account, you need a bank card and PIN," he said. "If you lose that card, you know your security has been compromised. We need some kind of smart card or certification, because individual users in companies are still at risk.

"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."

The risk of passwords being compromised is becoming greater and greater because it's becoming easier to download tools that will crack them, said John Girard, another Gartner analyst.

"The 'Magical Jellybean' tool is downloadable, and will find your license key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.

"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.

The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, Girard said.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
authentication, Gartner Inc., password, smart card, security

Add a Comment (Log in or register) 7 comments
They've been saying this for years
by bobby_brady September 14, 2005 11:29 AM PDT
Passwords will be around for a long time.
Reply to this comment View reply
Of course, with only one ID & Password
by September 14, 2005 12:23 PM PDT
it sure makes it easy for someone to get into everything once they
figure out how to hack it
Reply to this comment
For those who care about American IT and our national security
by 207796398873175208235380528963 September 14, 2005 3:32 PM PDT
This is a MUST reading for those who care about the future of American IT and our national security (see the link): http://www.alexanderbell.us/Initiative/IT.htm
Reply to this comment
Who can Afford Two Factor and Infrastructure?
by fred dunn September 15, 2005 5:32 AM PDT
We have been tangling with different vendors for two factor authentication for ~10,000 users. But with the costs for the simplist solution costing us a minimum of $250,000 to $500,000 how can we afford it. Although we realize the implications and limitions of password authentication we are also realists.
Beyond the fiscal costs are the training, helpdesk, and ongoing maintenance costs.

Bottom line: Until smartcard token vendors can get their products to an affordable level as to afford the other costs involved it is almost an impossible sell to administration.

Fred Dunn
Reply to this comment
How Companies urged to move beyond passwords
by September 15, 2005 7:43 AM PDT
How Companies urged to move beyond passwords

Mr. A.T. Alishtari, POA and Founder EDI Secure LLLP, says passwords are passe' if you consider that they can be phished, hacked, trojan horsed, pharmed, robot takeover or any number of possibilities beyond the mind's imagination.

Still keeping the swipe offline is the best way to protect consumers using the single use credit card number patent that this Company owns for the US only. Some things are easier than others.
Reply to this comment View reply
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET