Passwords are the weak link in IT security

Passwords aren't working, and replacement technologies haven't caught on. Why can't we develop a simple way to secure our data?

Passwords weren't the only fail in last summer's widely publicized "epic hack" of tech journalist Mat Honan -- Amazon, Apple and, to a lesser extent, Google and Honan himself share the blame.

But passwords played a part in the perfect storm of user, service provider and technology failures that wiped out Honan's entire digital life. As he concluded in his account of the hack, "Password-based security mechanisms -- which can be cracked, reset and socially engineered -- no longer suffice in the era of cloud computing."

The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.

Password security is the common cold of our technological age, a persistent problem that we can't seem to solve. The technologies that promised to reduce our dependence on passwords -- biometrics, smart cards, key fobs, tokens -- have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.

All of which makes password management a nightmare for IT shops. "IT faces competing interests," says Forrester analyst Eve Maler. "They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts."

Is there a way out of this scenario? The answer, surprisingly, may be yes. There's little consensus on what the best solution will be, but consultants and IT executives express optimism about the future. They cite technologies such as single sign-on, two-factor authentication, machine-to-machine authentication and better biometrics as ways to strengthen security -- eventually. For now, each still has its drawbacks.

The Problem With Passwords

Despite years of well-publicized breaches, weak passwords still subvert IT security, but the most obvious solution -- strong passwords -- comes with its own set of problems.

Complex passwords annoy or stymie users, who subsequently take up IT's time asking for password resets, thereby lowering productivity for both groups. The result, laments Maler: "IT ends up with both a lack of usability and a false sense of security."

What's more, both weak and strong passwords are vulnerable to human error. Among other things, they may be written down, stored in visible places online or on personal devices, shared with friends and co-workers, or divulged via phishing schemes.

It's a problem with old roots. Security expert Larry Ponemon of the Ponemon Institute worked on a project some 15 years ago for a government agency that required users to create 15-character passwords and update them every 30 days.

"If you forgot your password, you had to go to a tyrant at the help desk who would call you incompetent before he'd reset your password," Ponemon remembers. "When I walked through the office, I saw that all these employees working on highly confidential documents had written their passwords on Post-it notes because they didn't want to deal with the tyrant."

At Case Western Reserve University in Cleveland, CISO Tom Siu has seen it all: professors giving passwords to teaching assistants and TAs sharing them with peers. Siu recently traced an unauthorized software download to the ex-boyfriend of a former student.

As our lives proliferate online, the sheer number of passwords that any one person is required to use becomes a problem. The Ponemon Institute conducted a study several years ago to determine how many passwords people could remember. For most people, it was one or two; some could manage three.

"That means you have a top-secret password for your bank," plus one other password "for everything else," says Ponemon. "If someone steals [the latter], they can probably get other challenge and verification information, like the name of your first-grade teacher."

And, despite IT's best efforts, users continue to fall for phishing attacks. "When we educate people about phishing, the number of people who fall for it goes down," says Jonathan Feldman, director of IT services for the city of Asheville, N.C. "But it never goes down to zero."

And then there are hackers. Even strong passwords can be stolen in batches, as multiple high-profile cases have shown.

All of which makes a strong case for a Plan B.

Short-term Solutions: SSO and LDAP

In the short term, Plan B to many IT executives is single sign-on (SSO) technology or the Lightweight Directory Access Protocol (LDAP).

Single sign-on, as its name implies, lets users log in once and then authenticates them for multiple systems. LDAP, which runs on IP networks, works with Microsoft's Active Directory to allow any application using Active Directory to accommodate the same password.

Forrester's Maler notes that one of the big advantages of single sign-on is that it eliminates the need to have multiple systems storing multiple passwords. Ponemon concurs, citing a recent SSO deployment at a healthcare provider where practitioners were complaining about how they had to type in their password every time they moved to a different system. "The SSO system created both efficiency and greater security, because it had built-in safety checks to avoid giving access to the wrong person."


Single Sign-on for the Enterprise

Several enterprise password management tools offer dual-factor authentication along with single sign-on and other security capabilities, such as compliance features. Options include the following:

• ManageEngine's Password Manager Pro

• Thycotic Software's Secret Server

• Splash Data's SplashID Enterprise Safe

• Lieberman Software's Enterprise Random Password Manager

While acknowledging that neither SSO nor LDAP is perfect, Paul Capizzi, who recently left his post as vice president of IT at New York-based insurance firm SBLI USA, says they're better than the alternative. Capizzi says SBLI users generally manage up to a dozen passwords, and if they regularly call the help desk for password resets, that's a waste of time for everyone.

For that reason, most of SBLI's recent upgrades included adding LDAP and single sign-on support. "We'll never turn down the opportunity to use LDAP," he says. "We're always looking for ways to leverage that, because it increases users' performance."

One LDAP drawback: Many legacy systems can't support Active Directory, which means a separate password is still necessary for those systems.

"We still have a mixture of Windows-based applications and custom applications that were never designed to acknowledge the existence of AD," says a retail industry IT executive who asked that his name not be used. "Getting them to talk to each other is an investment of time and money, and it's not always our highest priority."

Feldman, meanwhile, points out that SSO has drawbacks of its own. "If your password gets compromised in one place, it's compromised everywhere," he says.

If an SSO system is breached by a phishing expedition, the hackers can then go to the website and try passwords to get to other parts of the system, he explains. Or they can start probing for an IP stack or a GRE (generic routing encapsulation). Instead of SSO, Feldman uses digital security certificates to limit the city's vulnerability.

Overall, SSO makes users' lives simpler and LDAP makes security administration easier. They're not perfect, sources agree, but together, they do provide some interim value.


Other highly touted security technologies continue to evolve, but at a pace that's too slow for most IT managers. And the newer technologies have flaws of their own.

For example, smart cards aren't widely deployed but are frequently used in highly secure installations. Earlier this year, however, the smart-card readers at the Department of Defense were breached by malware that sniffed the PINs on smart cards. "It was kind of like protecting a nuclear facility with a house key," says Maler.

Nor has biometrics taken off -- yet. The most extensive deployment of biometric technology is in fingerprint readers on Lenovo ThinkPads, which SBLI used for a while. It was a cool feature until the sensors got dirty and it started taking six swipes before the system recognized the user's fingerprint, according to Capizzi.

"Some people said it worked great, but others found it more annoying than typing in a password," he says, noting that the readers also made the laptops more expensive. "From a corporate perspective, I'm not sure biometrics is there yet."

Nevertheless, the retail industry IT executive says he plans to investigate biometrics for a legacy point-of-sale system that can't be integrated with Active Directory. "Our salespeople aren't assigned to a register. Instead, there are multiple POS terminals throughout the store, so they're logging in and out often." He says he'd like to retrofit the POS terminals so employees can access the system with the tap of finger, noting that it would be an improvement over users mistyping passwords or forgetting them altogether.

Security consultant Ponemon holds some optimism for biometrics -- although he chuckles at instances like the botched Department of Homeland Security installation at the border crossing at Nogales, Ariz., where the scanner was installed upside down and failed everyone who tried it. "Implemented correctly, some biometrics systems are really cool," he says. "The Israelis have created very robust voice-recognition tools that can determine identity within a nanosecond."

He says he believes that voice recognition tools will be more viable than facial recognition, fingerprint or iris scanning systems. "People are too nervous" about having their eyes scanned, he points out.

Feldman says he's investigated almost everything under the sun. He's not bullish on biometric tools because he's seen too many of them fail. He's not keen on key fobs (which display a one-time access code after the user enters a PIN) because they have to be discarded after a few years, and because he doubts that users would report lost key fobs. And after the breach of EMC's RSA security division last year, he's not convinced that the vendor's method of displaying access codes -- on a USB-based hardware token -- is viable either.

Cellphones to the Rescue?

That doesn't mean Feldman is down entirely on device authentication, which strengthens the password updating process by using a second trusted channel of communication in addition to a primary network connection. Feldman is looking at using cellphones as the secondary channel. "Everyone's got a phone," he reasons.

Instead of an access code displaying on a hardware token, it would appear in an SMS or text message on a phone. Users wanting to log in to a data center, then, would enter both their password and the randomly generated access code received via their phone.

Forrester's Maler also likes this idea. "IT generates a new, one-time password and provisions it to the enterprise user by means of an alternate channel -- in this case, the carrier network. That's really powerful, because it's part of a password policy that forces change, and it's strong authentication because it involves something you know -- the password -- and something you have -- the computing device."

Case Western's Siu is even more enthusiastic about device authentication. "It'll keep people from sharing credentials, because for that to work, someone has to hand over their phone, and no one wants to do that," he says. The increasing popularity of smartphones improves the feasibility of this method.

Ponemon agrees, and adds that devices even smarter than smartphones may improve security. He believes device recognition technology, where the system recognizes your computer based on its IP address and other recognizable factors, will take hold, especially with security capabilities being built into processors. "It's technology that will get people in and out of systems safely," he says. "Computers with these chips will be low cost, but they'll be useful in a wide array of scenarios."

Whatever device-based technology wins, it will involve a set of checks and balances. "We'll always have password problems," acknowledges Siu. "While users always want a single place to log in, we're going to need multiple levels of authentication." He anticipates that in the future we'll carry something that authenticates us, perhaps our phone or something with an RFID tag, the just as a highway toll transponder authenticates a car at a toll booth or a key fob lets you start a Prius when it's in the vicinity.

Ultimately, even the security experts are optimistic. "We're at a turning point in the security industry," insists Ponemon. "There are lots of venture capital investments looking at this facet of security. It's a response not just to [ breaches at popular sites such as LinkedIn], but to hackers in China and Russia who are looking for weaknesses."

With the threat vector high, so too is the likelihood of a successful technological response. In the meantime, IT will keep on trying to exhort users to choose stronger passwords -- and that includes their own systems administrators. As Maler relates, a recent Forrester study found that the most common administrator password for Microsoft Exchange is -- you could have guessed it -- password1.

Baldwin is a frequent Computerworld contributor.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGooglesecuritymobile securityendpoint security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Howard Baldwin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts