Passwords will reach the end of their useful life in as
little as two years, forcing organisations to rethink the way they
secure their corporate IT systems, Gartner will warn this
week.
By 2007, the analyst group predicts that 80% of organisations
will have reached "password breaking point" and will have to turn
to more sophisticated technology to protect their systems and
data.
Businesses need to put a roadmap in place now that will allow
them to phase out passwords and replace them with more secure
two-factor authentication, said Ant Allan, research vice-president
at Gartner.
Speaking at the Gartner IT Security Summit at London's Royal
Lancaster Hotel this week, Allan will warn that passwords are
rapidly becoming unusable as organisations attempt to stay one step
ahead of hackers.
By making passwords increasingly complex, and changing them with
greater frequency, businesses are simply "rearranging the
deckchairs on the Titanic," said Allan.
Complex passwords may be harder to crack, but they are still
vulnerable to discovery by spyware, key loggers or social
engineering attempts by hackers, he said. They also become
increasingly difficult for staff to remember and use.
The current generation of two-factor authentication devices -
including smartcards, biometric readers, and one-time password
tokens, which typically cost £70 a user to implement and run - will
be too expensive for many organisations to deploy.
Businesses are likely to turn to intermediate technologies, such
as Entrust's Identity Guard, which is currently being trialled by
banks and other organisations, said Allan.
The system issues each user with a unique grid of letters and
numbers, which could be printed on the back of their work ID card.
It verifies their identity by asking users for the letter at a set
of co-ordinates on the grid.
Several UK banks are piloting similar technology to provide
on-line banking customers with secure access to their bank
accounts. One variant is to send a text message containing a
one-time password to a customer's mobile phone when they log
on.
But choosing the authentication mechanism is only part of the
problem, said Allan. Organisations will need to invest in sign-on
software to manage the passwords of legacy systems, while they
migrate their systems towards two-factor authentication. But this
should only be a temporary step, said Allan.