By Keith Regan E-Commerce Times
07/07/03 4:00 AM PT
During a recent European trade show, organizers convinced 90 percent of office workers traveling through a London tube station to reveal their computer passwords. They merely included the question at the end of a long list of seemingly harmless queries.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
Passwords are both the universal language for network navigation and the weakest link in network security, as fraught with peril as they are essential.
Experts say that because they are so closely linked to the ever-fallible human element, passwords cause the most headaches of any security mechanism. However, any enterprise, large or small, can take steps to minimize risk without resorting to cutting-edge and costly technologies like biometrics.
"The fact is that most people don't take the basic steps to protect their passwords, like changing them, so if passwords are a last line of defense, a network administrator has to take it upon himself to make sure it happens," Gartner (NYSE: IT) vice president John Pescatore told the E-Commerce Times.
Security experts have long advocated forcing employees to reset passwords every quarter or even more often, especially if they are accessing sensitive data. However, passwords are already notorious at IT help desks, where lost passwords or locked-out employees absorb a considerable amount of valuable support staff time. More frequent password changes likely would increase the proportion of such calls.
Policy Is Paramount
The first step should always be to establish a password policy, with clear guidelines detailing how they should be chosen, how often they should be changed and how to keep them secret.
"A lot of enterprises leave it up to the employee," Pescatore said. However, doing so is often a risk, since most knowledge workers have a half-dozen or more passwords to remember. Faced with this potentially complicated situation, many users choose to make all of their passwords the same.
"If you don't require someone to diversify their passwords, why should they?" Pescatore noted.
Human Weakness
Another aspect of password security is social engineering. Few things make hackers happier than convincing users to reveal their passwords simply by asking.
For instance, a hacker who pled guilty to charges he diverted traffic intended for Al-Jazeera's English-language website during the Iraq war says he was able to do so by simply calling Al-Jazeera's U.S. network provider and posing as an employee. Before long, he had the passwords he needed.
"People are always a weak link, and study after study shows they will give up passwords if asked in the right way," said M.E. Kabay, program director in information assurance at Norwich University in Northfield, Vermont. "By having clear policies and taking steps to enforce them, you at least give yourself a chance."
Making matters worse, so-called social engineering tricks used to glean passwords are not necessarily complicated. During a recent European trade show, organizers convinced 90 percent of office workers traveling through a London tube station to reveal their computer passwords. Their social engineering consisted of including the question at the end of a long list of seemingly harmless queries.
Crack This
Even if passwords are not revealed willingly, hackers still can crack them. AT&T (NYSE: T) recently warned its business customers about a scam in which hackers were guessing passwords that protected voice-mail systems, then using them to run up costly long-distance bills. The hackers could do this because many customers still were using the default password they had received with their accounts.
Pescatore said many users are guilty of using too-common passwords, justifying the practice by saying they are easy to use and remember.
However, passwords are here to stay, at least for the foreseeable future, even though Gartner believes use of smart cards or other methods that require two proofs of identity will increase. Indeed, the rise of password-saving programs like Microsoft's (Nasdaq: MSFT) Passport has raised new security concerns.
"The shortcuts around remembering and entering passwords are problematic themselves," Pescatore noted.
Incentive Offered
If an enterprise needs more incentive to tighten its use of passwords, both courts and lawmakers are glad to oblige. A California law now in effect mandates that companies disclose all database breaches that result in exposure of private information, whether or not that data is stolen or misused. Moreover, lawyers are closely monitoring the landscape to see how much responsibility enterprises will bear if they are hacked.
"End users who argue that a vendor supplied a weakly secured product are going to have to answer a lot of questions about how often they changed passwords or took other precautions," attorney Michael Overly of Los Angeles-based law firm Foley & Lardner told the E-Commerce Times. "The courts are going to work through that question of who ultimately has responsibility."
Web Sites on Alert for Hacker Contest July 03, 2003
Although the Computer Coordination Center, which handles official security advisories, has not issued a formal warning, the FBI reportedly is monitoring the event.
Related Stories
New Frontiers in the Identity Theft War June 20, 2003
New technologies improve the ability to steal and misuse personal data. Can the White Hats use the same technology to restore order?
How Secure Is Windows Server 2003? May 21, 2003
Forrester senior analyst Laura Koetzle pointed out that the IIS Web server program is turned off by default in the new version of Windows, so that machines not offering Web connections need not be secured against Web-based attacks.
U.S. To Probe Microsoft Passport Flaw May 09, 2003
Although potential financial losses would be unlikely to dent Microsoft's cash-heavy wallet, public relations damage as a result of the revelation could be far more worrisome to the software giant.
The Open and Shut Case of Corporate Data Security January 07, 2003
Perot Systems CIO Mike McClaskey noted that the balance point between information security and data integration varies by industry sector. Healthcare and financial services companies, for example, are more likely to err on the side of security.
The Password Is... Confusion August 08, 2002
One potential roadblock to portable password management is that the business and
development communities have not yet agreed on technology standards to make passwords
portable and secure.
Related News Alerts
More by Keith Regan
Yahoo Slaps Fresh Coat of Gloss on Microsoft Deal Defense June 30, 2008
With its shareholders meeting set to take place in less than five weeks, Yahoo has put together a 32-page presentation, emphasizing why the investors should vote to keep the current board in place. The company also reiterated why it chose to partner with Google instead of letting Microsoft buy part of it.
French Court Stings eBay With $63M Judgment Over Knockoff Sales June 30, 2008
eBay is planning to appeal a ruling by a French court that ordered it to pay $63 million to the luxury goods maker Louis Vuitton Moet Hennessey. The court also barred the online auctioneer from selling four brands of perfume on its Web sites accessible in France.
New Auto Loan Leads Marketplace Shifts Into Drive June 30, 2008
Reply.com's move into the auto finance market is a logical one the company, as automotive advertising spending is moving online in increasingly greater amounts. The company is partnering with the Detroit Trading Company to create a massive repository of auto finance leads online.
Headline Feeds
Talkback: 
