Decision Maker

It's Time To Lose the Passwords!

Admit it: The only folks who hate passwords more than your users are the ones on your help desk. How many passwords do your users need? Three? Five? And I'll bet you make your users change those passwords every couple of months, as well as forcing them to remember D1ffiCu!t passwords on top of it all.

Despite all that, there isn't a password alive that your users could remember which can't be cracked in seconds.

Passwords are stored as hashes, and a rainbow table provides a fast way to look up any particular hash and get its clear-text version. Torrents are full of pre-generated rainbow tables that can crack a password of up to 10 characters, containing any ASCII character. So all the symbols and numbers your users have to toss into their passwords? Not protecting you one extra bit.

Find Another Factor
One-time passwords, typically generated by an authentication token, are the way to go. In the past, these have been limited to a key fob form factor -- and they were a hassle to use. You had to buy physical tokens from the same company that sold you the back-end integration solution, which got expensive. You issued tokens to users, ensuring the back-end system knew which user had which token. Users created a four- to six-digit PIN to go with their tokens, and that had to be stored as well.

The situation is vastly different today. You'll usually buy your back-end software from one vendor, and you're not stuck buying tokens from the same one. Most tokens and back-end solutions now comply with the Open Authentication (OATH) interoperability standard, which means you can buy from anyone. That's driven prices down to less than $5 per user in some cases. The back-end solution will typically integrate in some fashion with Active Directory, but will also usually provide a RADIUS interface so that nearly anything can authenticate. A client-side agent for Windows computers modifies your usual Ctrl+Alt+Delete screen to provide token-based logins.

And tokens have evolved beyond key fobs. While those are still popular, credit card-sized tokens are also available, and software tokens are available for almost every mobile device out there. Work-at-home users can even get Windows-based software tokens for their home computers, making it easy for them to log into the network and continue working as if they were in the office.

Token management? Also vastly improved. Nowadays users can be issued a token with no advanced enrollment. They simply visit an intranet Web site to register their token, using their old logon credentials, and establish a PIN. This self-service mechanism takes pretty much all of the overhead off of the IT staff.

Many systems also come with Web-based, one-time-password systems designed to accommodate contractors and other casual logon users. You don't need to issue them a token; instead, they utilize pattern-based numeric passwords. Essentially, they memorize a short pattern of blocks in a grid (think of a Bingo card -- your pattern is a "C" shape). You show them a grid with numbers in each square, and they type in the numbers that correspond to their block pattern. The numbers change every time. No password to remember, change, forget, unlock or anything -- and no hardware token either.

But Will They Like It?
The standard industry statistic is that a password reset or account unlock call costs you about $33, and that most help desks spend about one-third of their time handling those calls. With two-factor, token-based authentication, that pretty much goes away. There are no passwords to forget, so they don't need to be reset, and accounts don't need unlocking. You don't need a password reset self-service intranet solution. Help desk costs go down. User disgruntlement goes down.

Companies have stayed away from two-factor authentication in droves, partially because of the perceived costs and high overhead. Many companies hear "two-factor authentication" and immediately think "smart cards," which are indeed more expensive to manage in the long run, and which definitely come with some high overhead in terms of issuing and maintaining them. Hardware tokens, on the other hand, have become cheap -- and they're supplemented by the availability of soft tokens for mobile devices, which in many cases the back-end software vendor can offer you for free.

About the Author

Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.

comments powered by Disqus

Reader Comments:

Fri, Jan 21, 2011 Tony Virginia

I agree with Bob. I've tried to educate our users on creating secure passwords...even tried the pass phrase thing...which is what I assume Christopher is using...the more secure I make the requirements the more I've had to reset passwords...when users don't understand the difference between logging off, locking and restarting a computer, the learning curve is high...and it starts with the CEO...

Thu, Jan 6, 2011 Bob Texas

Chris, I'll trade my users for yours. My problem is that the people highest up in the company think that a 10 character password (let alone a 12 character or, OMG, 40 character password) is unnecessary. If I can't convince them, it does not matter what the other 90% or 95% or even 99% think. Even so, I would be interested in knowing more about your approach.

Thu, Jan 6, 2011 Gurudatt Shenoy Mumbai

I have developed a zero cost two factor authentication solution called MyCloudKey and 0pass. Users can use a device they already own to register as a security token. Both the services are free and widely used. You can access it from www.mycloudkey.com and www.0pass.com

Wed, Jan 5, 2011 Christopher D. Bell Glossop, UK

Despite Don Jones pedigree I must point out that this entire article is based on a false premise: users are stupid and/or lazy. I have been able to implement password policies in organisations which use complex passwords with an average length of more than forty characters with a 95% rate of user approval (I guess the other 5% were lazy and/or stupid) and a reset rate of close to 0%. It is not difficult to do, requires less than five minutes of training and makes rainbow tables an irrelevance.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.