Enforcing Password Complexity without Alienating Users
Protecting passwords from compromise is a challenge for IT managers, who must deal with attacks that aim to compromise systems while giving users the simplicity they want.
Cybercriminals have seemingly mastered the tools used to intercept, retrieve and expose passwords. Even so, passwords remain the preferred method used for protecting systems.
IT administrators have tried to solve the password problem by introducing policies that require passwords to be several characters long and to incorporate special characters or numbers and be case sensitive. While this makes it more difficult to hack a password, it can also lead to users calling the help desk for frequent resets of forgotten passwords or, even worse, writing passwords down on sticky notes for the whole world to see.
Is there room for a compromise that can achieve a balance between complexity and simplicity, thus satisfying both users and administrators?
Passwords and Single Sign-on
One compromise is single sign-on technology, which requires a complex password but synchronizes it across multiple services, platforms and applications so users do not have to remember multiple passwords.
SSO can be a costly addition for many organizations, however. And it can introduce another problem: If a cybercriminal learns a single password that is synchronized across platforms, all of the user's information can be accessed. This is especially troubling if the user happens to be a manager or IT administrator.
Digital Key Rings
Some technologies have tried to overcome the SSO issue by eliminating the synchronization of passwords and instead using a "digital key ring" concept, in which passwords are stored and automatically entered into whichever systems require a password.
This allows different account information, as well as passwords, to be maintained for each service (or application or platform). So if one becomes compromised, the rest remain safe.
However, those "digital key rings" must be stored somewhere. They are usually stored on the computer used, which can be a desktop, tablet, notebook computer or other mobile device. This begs the question: "If the device is lost or stolen, does the person now possessing it enjoy full access to everything?"
Also, if access to the digital key ring is lost, will the end user remember all of their account names and passwords to access the services needed to be productive? Simply put, digital key rings can make things simpler for the end user but extremely complex for all involved if one is lost.
Passwords and Multi-factor Authentication
With the initial shortcomings of SSO and digital key rings becoming more evident, other security technologies have emerged to offer another layer of security to the challenge/response methodology used by most password systems.
Grounded in the concepts of identify management comes the idea of multi-factor authentication (MFA), in which two or more independent authentication factors are used to verify a user’s identity and only grant access to those possessing the proper credentials.
MFA is nothing new. Anyone who has used an ATM has experienced MFA, or more specifically, two factor authentication (2FA), where an individual must provide both a physical element (credit/debit card) and a secret only the user only knows (personal identification number or PIN).
Although MFA goes a long way toward securing access, it is not foolproof. Imagine the consequences when a cybercriminal has a facsimile of the physical element and has uncovered the secret password. If that compromised knowledge is combined with either SSO or a digital key ring service, it becomes hard to calculate the damage.
Passwords and Acceptable Risk
While no authentication system can be deemed perfect, selecting what works best for a given environment comes down to balancing risk against cost. There are cases where even the most expensive security systems have been compromised and cases where some simple techniques have protected valuable information, so cost should never be the primary factor in choosing an authentication technology to protect enterprise services and data.
However, there is a lot to be said for some of the more expensive technologies on the market, such as RSA SecurID, a two factor authentication system that offers software and hardware tokens that can be used as part of the second factor in an authentication scheme.
Here, the user possesses some information, as well as a constantly changing token that is used as the second factor for entry. That token can take the form of a key fob (with a random number generator) or even be a piece of browser-based software that offers a code.
The idea here is to create a non-replicable authentication session, so that any interception of information cannot be used to hack into a system. What’s more, automated attack tools are useless as methodologies to uncover passwords – even if a strong arm attempt is made to uncover a password, it is useless without the second factor.
RSA SecurID isn’t the only contender in the market, just one of the best known. Several other vendors promise MFA with token support. Some even use smartphones to generate the tokens for access, eliminating the need for separate hardware. Examples include Vasco Data Security International and Gemalto NV (GTO), two companies with identification software that runs on tokens, tablets and smartphones.
Some – such as the Fast Identity Online Alliance – are calling for technologies that facilitate a reduced reliance on passwords. Those managing enterprise systems will need to take a long hard look at available alternatives and choose a method that removes the weaknesses of single factor authentication, yet does not make access so complicated that productivity is impacted.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom's Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise's eWeek and eeformer director of the CRN Test Center.