Managed Security Services

Beyond Passwords: Stronger Authentication

When passwords are no longer sufficient, enterprises have plenty of options to improve security.

by Lisa Phifer VP Core Competence, Inc. [April 4, 2005]

Today, many organizations enforce password length, complexity, and update rules, operating under the premise that passwords longer than seven alphanumeric characters take much longer to brute-force crack than shorter, simpler passwords. While this is true, the actual time required to guess real user passwords with cracking tools like L0phtCrack and John The Ripper can be far less.

Many users have dozens of passwords, defined independently, with conflicting rules regarding complexity, update, and reuse. It's human nature to pick passwords that are easy to remember, like birthdays or names of a spouse, child, pet, or sports team. To satisfy complexity rules, many users define passwords with a convention, like appending one digit to the same base string. These common practices can make passwords relatively easy to guess in just minutes using dictionary or partial-knowledge attacks.

For most people, remembering a complex password longer than 7 characters means writing it down it somewhere—like on a post-it note that could easily fall into the wrong hands. Some users save passwords in e-mail folders or files, but an unprotected password list is a security incident waiting to happen. Encrypted password "safes" are far better, but even those programs often depend upon one password to unlock the rest.

No matter what their length, passwords are easily compromised through social engineering. In the past, attackers would pose as tech support, calling users to assist with bogus problem resolution and, in the process, request their passwords. Today, attackers flood mailboxes with spam that "phishes" for passwords by luring users to phony websites where they are prompted to "confirm" their account parameters.

For these and many other reasons, password authentication provides a weak foundation for authorization and access control. Putting a weak password in front of an otherwise secure server, firewall, or VPN service is like putting a screen door on a bank vault. ISPs can reduce their own risk—and grow customer confidence—by employing stronger authentication methods.

Exploring The Alternatives
More secure authentication methods have been readily available for many years, including tokens, smart cards, digital certificates, and biometrics. While these methods vary in complexity, cost, and strength, all share a common goal: letting a user demonstrate that he is who he claims to be through one or more factors.

Authentication factors may include:

• Something you know, like a password or personal identification number (PIN).
• Something that represents who you are, like a finger, face, iris, or voice scan.
• Something you have in your possession, like a hardware token or smart card.

Credentials that you know—like passwords and PINs—are widely used because they are cheap and easy to implement. Passwords are free, users can generate them without assistance, and password authentication is embedded in just about every operating system and client/server protocol. In fact, the only significant operational expense is password reset/recovery. According to Burton Group and Gartner studies, password resets represent 30 percent of all help desk calls. The META Group estimates that each help desk call costs $25. Clearly, this "hidden cost" of password authentication can really add up. You may be spending more than you realize for a solution that's relatively weak.

Even so, stronger credentials are more expensive and more difficult to implement than plain old passwords. In some cases, there are material costs associated with hardware (e.g., USB tokens, biometric scanners). There are distribution costs, since a process is required to initialize credentials and bind them to user identities. There may be infrastructure costs associated with purchasing, installing, and maintaining new authentication servers and datastores. After deployment, there may be lost or broken hardware to replace—not as often as password resets, but at a higher per-incident cost.

Go to page two: Show Me The Money