The first time someone wanted to limit access to a computer, a password was the obvious and logical choice to limit who could access information and applications. By password protecting a system, administrators supposedly only give access to specific people and keep the masses out.
That may have applied when only a handful of people knew what a computer was, but in the era of the Internet, the concept of a password is as outdated as a horse and carriage. Today, a password is more effective at keeping the legitimate user out than those planning mischief.
Every corporate helpdesk operator knows that a Monday morning, or especially the first day back at work after a long weekend, will be a day consumed by calls about forgotten passwords. The problem of forgotten passwords is so common that every login page on the Internet has a link underneath it for users to click on if they forget their password.
Moreover, it is not only forgetful users that make the password concept one that should be retired. When looking at password management within a company, people are almost certainly guaranteed to confide in a colleague and tell them their password, in confidence, of course. Unfortunately, human nature also guarantees that the password will be passed on at some stage.
If that`s not enough to convince anyone that passwords are pass'e, the growing use of hardware and software keyloggers should clear up the matter. These devices can be installed surreptitiously on almost anyone`s computer and collect confidential information - like passwords. Once this information has been harvested, the collector has open access to the victim`s files, applications and even bank accounts.
Not that one needs to go to these extremes to get someone`s password. In penetration testing done for corporate clients throughout South Africa, 70% of the passwords people choose are easily and quickly cracked by software. It is simply too much effort for people to choose complex passwords.
The alternative
Fortunately, we are in the position today that passwords are no longer necessary. There are now many authentications options available that are more reliable and less vulnerable.
Electronic tokens, for example, offer strong authentication that is not dependent on the person remembering more than her user name. Moreover, multifactor authentication is becoming an accepted alternative in a growing number of companies to ensure security is not dependent on someone remembering a word. The key is to take the human factor out of the authentication process, or at least to limit it.
Whichever authentication solution is chosen as part of an identity management solution, the critical factor is to ensure the person accessing the system is in fact the authorised one. A system controlled by only a password offers no such safeguard.
The emergence of biometric identification products that actually work will assist in achieving improved authentication capabilities. In the past, biometric technology was either excessively expensive or unreliable. The current batch of technologies really works and they are excellent options for ensuring the right people log into the right accounts.
Expanding the network
There are now many authentications options available that are more reliable and less vulnerable [than passwords].
Amir Lubashevsky is director of Magix Integration
As with most other areas of business, security and authentication technologies are no longer confined to the company. As more businesspeople take their work with them when they travel, they need full access to their normal applications and data from anywhere in the world.
For the remote worker, a password will never be a secure way to access the network. To ensure security is maintained in all instances, it is recommended that device identification is used as a complementary authentication technology.
When a remote worker logs on and the system recognises he is working on an authorised device, such as a company laptop or PDA, the employee is permitted full access to the applications and data they would normally use. If the device is not recognised, even if the user is, the system automatically limits what can be accessed.
In this way organisations can ensure their employees have 24x7 access to all the services they need, but also protect its data by completely preventing access to sensitive information when they are logging on from an Internet caf'e or some other unsecured system.
The business world we operate in today has moved far beyond the realm of passwords. Technology and business models are vastly different from what they were 20 years ago, and will again be completely different in 10 years` time. Authenticating who`s doing what, where, is a critical part of a reliable infrastructure if companies wish to ensure the safety of information.
Stronger authentication methodologies are, therefore, non-negotiable. Corporations operating in the 21st century need to know that people can only access their systems and perform specific functions if they are who they claim to be, and simple password access is not the way to accomplish this.
* Amir Lubashevsky is director of Magix Integration.
Share