Passwords weren't the only fail in last summer's widely publicized "epic hack" of tech journalist Mat Honan -- Amazon, Apple and, to a lesser extent, Google and Honan himself share the blame.
But passwords played a part in the perfect storm of user, service provider and technology failures that wiped out Honan's entire digital life. As he concluded in his account of the hack, "Password-based security mechanisms -- which can be cracked, reset and socially engineered -- no longer suffice in the era of cloud computing."
The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.
Password security is the common cold of our technological age, a persistent problem that we can't seem to solve. The technologies that promised to reduce our dependence on passwords -- biometrics, smart cards, key fobs, tokens -- have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.
All of which makes password management a nightmare for IT shops. "IT faces competing interests," says Forrester analyst Eve Maler. "They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts."
Is there a way out of this scenario? The answer, surprisingly, may be yes. There's little consensus on what the best solution will be, but consultants and IT executives express optimism about the future. They cite technologies such as single sign-on, two-factor authentication, machine-to-machine authentication and better biometrics as ways to strengthen security -- eventually. For now, each still has its drawbacks.
The Problem With Passwords
Despite years of well-publicized breaches, weak passwords still subvert IT security, but the most obvious solution -- strong passwords -- comes with its own set of problems.
Complex passwords annoy or stymie users, who subsequently take up IT's time asking for password resets, thereby lowering productivity for both groups. The result, laments Maler: "IT ends up with both a lack of usability and a false sense of security."
What's more, both weak and strong passwords are vulnerable to human error. Among other things, they may be written down, stored in visible places online or on personal devices, shared with friends and co-workers, or divulged via phishing schemes.
It's a problem with old roots. Security expert Larry Ponemon of the Ponemon Institute worked on a project some 15 years ago for a government agency that required users to create 15-character passwords and update them every 30 days.
"If you forgot your password, you had to go to a tyrant at the help desk who would call you incompetent before he'd reset your password," Ponemon remembers. "When I walked through the office, I saw that all these employees working on highly confidential documents had written their passwords on Post-it notes because they didn't want to deal with the tyrant."
At Case Western Reserve University in Cleveland, CISO Tom Siu has seen it all: professors giving passwords to teaching assistants and TAs sharing them with peers. Siu recently traced an unauthorized software download to the ex-boyfriend of a former student.
As our lives proliferate online, the sheer number of passwords that any one person is required to use becomes a problem. The Ponemon Institute conducted a study several years ago to determine how many passwords people could remember. For most people, it was one or two; some could manage three.
"That means you have a top-secret password for your bank," plus one other password "for everything else," says Ponemon. "If someone steals [the latter], they can probably get other challenge and verification information, like the name of your first-grade teacher."
And, despite IT's best efforts, users continue to fall for phishing attacks. "When we educate people about phishing, the number of people who fall for it goes down," says Jonathan Feldman, director of IT services for the city of Asheville, N.C. "But it never goes down to zero."
And then there are hackers. Even strong passwords can be stolen in batches, as multiple high-profile cases have shown.
All of which makes a strong case for a Plan B.
Short-term Solutions: SSO and LDAP
In the short term, Plan B to many IT executives is single sign-on (SSO) technology or the Lightweight Directory Access Protocol (LDAP).
Single sign-on, as its name implies, lets users log in once and then authenticates them for multiple systems. LDAP, which runs on IP networks, works with Microsoft's Active Directory to allow any application using Active Directory to accommodate the same password.
Forrester's Maler notes that one of the big advantages of single sign-on is that it eliminates the need to have multiple systems storing multiple passwords. Ponemon concurs, citing a recent SSO deployment at a healthcare provider where practitioners were complaining about how they had to type in their password every time they moved to a different system. "The SSO system created both efficiency and greater security, because it had built-in safety checks to avoid giving access to the wrong person."
Single Sign-on for the Enterprise
Several enterprise password management tools offer dual-factor authentication along with single sign-on and other security capabilities, such as compliance features. Options include the following:
aC/ ManageEngine's Password Manager Pro
aC/ Thycotic Software's Secret Server
aC/ Splash Data's SplashID Enterprise Safe
aC/ Lieberman Software's Enterprise Random Password Manager
While acknowledging that neither SSO nor LDAP is perfect, Paul Capizzi, who recently left his post as vice president of IT at New York-based insurance firm SBLI USA, says they're better than the alternative. Capizzi says SBLI users generally manage up to a dozen passwords, and if they regularly call the help desk for password resets, that's a waste of time for everyone.
For that reason, most of SBLI's recent upgrades included adding LDAP and single sign-on support. "We'll never turn down the opportunity to use LDAP," he says. "We're always looking for ways to leverage that, because it increases users' performance."
One LDAP drawback: Many legacy systems can't support Active Directory, which means a separate password is still necessary for those systems.
"We still have a mixture of Windows-based applications and custom applications that were never designed to acknowledge the existence of AD," says a retail industry IT executive who asked that his name not be used. "Getting them to talk to each other is an investment of time and money, and it's not always our highest priority."
Feldman, meanwhile, points out that SSO has drawbacks of its own. "If your password gets compromised in one place, it's compromised everywhere," he says.
If an SSO system is breached by a phishing expedition, the hackers can then go to the website and try passwords to get to other parts of the system, he explains. Or they can start probing for an IP stack or a GRE (generic routing encapsulation). Instead of SSO, Feldman uses digital security certificates to limit the city's vulnerability.
Overall, SSO makes users' lives simpler and LDAP makes security administration easier. They're not perfect, sources agree, but together, they do provide some interim value.
Other highly touted security technologies continue to evolve, but at a pace that's too slow for most IT managers. And the newer technologies have flaws of their own.
For example, smart cards aren't widely deployed but are frequently used in highly secure installations. Earlier this year, however, the smart-card readers at the Department of Defense were breached by malware that sniffed the PINs on smart cards. "It was kind of like protecting a nuclear facility with a house key," says Maler.
Nor has biometrics taken off -- yet. The most extensive deployment of biometric technology is in fingerprint readers on Lenovo ThinkPads, which SBLI used for a while. It was a cool feature until the sensors got dirty and it started taking six swipes before the system recognized the user's fingerprint, according to Capizzi.
"Some people said it worked great, but others found it more annoying than typing in a password," he says, noting that the readers also made the laptops more expensive. "From a corporate perspective, I'm not sure biometrics is there yet."
Nevertheless, the retail industry IT executive says he plans to investigate biometrics for a legacy point-of-sale system that can't be integrated with Active Directory. "Our salespeople aren't assigned to a register. Instead, there are multiple POS terminals throughout the store, so they're logging in and out often." He says he'd like to retrofit the POS terminals so employees can access the system with the tap of finger, noting that it would be an improvement over users mistyping passwords or forgetting them altogether.
Security consultant Ponemon holds some optimism for biometrics -- although he chuckles at instances like the botched Department of Homeland Security installation at the border crossing at Nogales, Ariz., where the scanner was installed upside down and failed everyone who tried it. "Implemented correctly, some biometrics systems are really cool," he says. "The Israelis have created very robust voice-recognition tools that can determine identity within a nanosecond."
He says he believes that voice recognition tools will be more viable than facial recognition, fingerprint or iris scanning systems. "People are too nervous" about having their eyes scanned, he points out.
Feldman says he's investigated almost everything under the sun. He's not bullish on biometric tools because he's seen too many of them fail. He's not keen on key fobs (which display a one-time access code after the user enters a PIN) because they have to be discarded after a few years, and because he doubts that users would report lost key fobs. And after the breach of EMC's RSA security division last year, he's not convinced that the vendor's method of displaying access codes -- on a USB-based hardware token -- is viable either.
Cellphones to the Rescue?
That doesn't mean Feldman is down entirely on device authentication, which strengthens the password updating process by using a second trusted channel of communication in addition to a primary network connection. Feldman is looking at using cellphones as the secondary channel. "Everyone's got a phone," he reasons.
Instead of an access code displaying on a hardware token, it would appear in an SMS or text message on a phone. Users wanting to log in to a data center, then, would enter both their password and the randomly generated access code received via their phone.
Forrester's Maler also likes this idea. "IT generates a new, one-time password and provisions it to the enterprise user by means of an alternate channel -- in this case, the carrier network. That's really powerful, because it's part of a password policy that forces change, and it's strong authentication because it involves something you know -- the password -- and something you have -- the computing device."
Case Western's Siu is even more enthusiastic about device authentication. "It'll keep people from sharing credentials, because for that to work, someone has to hand over their phone, and no one wants to do that," he says. The increasing popularity of smartphones improves the feasibility of this method.
Ponemon agrees, and adds that devices even smarter than smartphones may improve security. He believes device recognition technology, where the system recognizes your computer based on its IP address and other recognizable factors, will take hold, especially with security capabilities being built into processors. "It's technology that will get people in and out of systems safely," he says. "Computers with these chips will be low cost, but they'll be useful in a wide array of scenarios."
Whatever device-based technology wins, it will involve a set of checks and balances. "We'll always have password problems," acknowledges Siu. "While users always want a single place to log in, we're going to need multiple levels of authentication." He anticipates that in the future we'll carry something that authenticates us, perhaps our phone or something with an RFID tag, the just as a highway toll transponder authenticates a car at a toll booth or a key fob lets you start a Prius when it's in the vicinity.
Ultimately, even the security experts are optimistic. "We're at a turning point in the security industry," insists Ponemon. "There are lots of venture capital investments looking at this facet of security. It's a response not just to [ breaches at popular sites such as LinkedIn], but to hackers in China and Russia who are looking for weaknesses."
With the threat vector high, so too is the likelihood of a successful technological response. In the meantime, IT will keep on trying to exhort users to choose stronger passwords -- and that includes their own systems administrators. As Maler relates, a recent Forrester study found that the most common administrator password for Microsoft Exchange is -- you could have guessed it -- password1.
Baldwin is a frequent Computerworld contributor.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about security in Computerworld's Security Topic Center.
This story, "Passwords are the Weak Link in IT Security" was originally published by Computerworld.