As long as there are passwords, there will be little yellow sticky
notes littering desktops.
Despite the obvious risks and dozens of clever password
management practices, IT managers can't seem to convince users to
stop carelessly writing down their passwords.
Password theft seems almost inevitable.
 | | | | | Hackers who can find a way to get
into an organization can walk around until they find a yellow
sticky note with a password on it. It does happen.
David O'Connell
senior analystNucleus Research
Inc. |
| | | | | |
| |
|
According to a survey of 325 users by Nucleus Research, one in
three users writes down on paper or electronically stores computer
passwords.
The survey also found that a company's password management
process has no affect on a user's tendency to record his or her
password. IT can have users create complex passwords, change their
passwords frequently, use a single sign-on or multiple passwords
for different applications, and users will still write their
passwords down.
"It's sort of like Mom and Dad bought a really great security
system for the house, but Junior is leaving the combination to the
system under the doormat," said David O'Connell, senior analyst at
Nucleus Research.
Of the 33% of people who said they improperly record their
passwords, one-third said they write them down on paper. Two-thirds
said they record them in a text file on their computer or on a
personal digital assistant (PDA).
"People who are writing it down on a piece of paper -- that
makes the enterprise very vulnerable to a social engineering hack,"
O'Connnell said. "Hackers who can find a way to get into an
organization can walk around until they find a yellow sticky note
with a password on it. It does happen."
O'Connell said the people who record their passwords
electronically are just as, if not more, vulnerable.
"Laptops and PDAs get stolen all the time, and people get
targeted. An industry event would be a great place to find and
steal someone's laptop. You can do a search based on
password and get a document with a bunch of passwords on
it," he said.
The Nucleus survey found that 70% of users call their IT help
desks once a year about a lost or forgotten password. Sixteen
percent call the help desk two or three times a year for password
help; 9% call three to five times a year; and 5% call the help desk
more than five times a year.
Richard Roark, vice president of process improvement and network
security at Travis Credit Union, said his $1.6-billion Vacaville,
Calif.-based financial institution hadn't experienced any incidents
with stolen passwords. However, he did acknowledge that some
employees were a little loose with their password protection
practices.
"We did have people frequently giving passwords to another
[employee] just so they could log in, that sort of thing. Once we
heard of that… it was pretty much stopped. Then we thoroughly
educated everyone to make them understand that they should not give
their password to anyone, not even someone from IT."
Biometrics making passwords passé?
Ready to give up the battle, companies are exploring biometrics
with some success, but experts say products are just not mature
enough.
With 78 applications requiring some form of username and
password, Travis Credit Union help desk workers were spending on
average one hour each day just handling requests from users who
couldn't remember their passwords.
Roark considered biometrics as a way around the problem. He
first tried a fingerprint-reading technology, but it presented
problems early on.
"The technology wasn't mature yet," he said. "For 70% of people
it worked fine. But other people, my boss included, it took them at
least five times to get signed in."
Last year Roark switched to a new vendor, DigitalPersona Inc., a
Redwood City, Calif.-based provider of fingerprint authentication
products. He has since deployed the company's software and
fingerprint readers company-wide.
"We've had it for over a year now," Roarke said. "It's been one
of the best solutions we've had here. Help desk requests are going
down, and end users do not have to remember all their usernames and
passwords."
Roark has kept passwords as a secondary level of authentication,
in case fingerprint readers fail to recognize users. But so far
just one of the credit union's 412 employees has had any trouble
with the technology.
Jonathan Penn, principal analyst for identity and security at
Cambridge, Mass.-based Forrester Research Inc., said biometric
authentication is far more secure than the status quo with
passwords, but he said biometrics are just one of many approaches
companies are looking at, along with smart cards with PINs,
one-time password tokens and USB tokens.
Still, biometric technology has a long way to go before it wins
wider adoption.
"They're surprisingly hackable," O'Connell said. "With one
thumbprint scanner platform, hackers have been able to use a couple
of household products you can find in your kitchen and copy a
person's thumbprint after they have used a scanner. I wouldn't say
it's more hackable [than other authentication strategies]. It's
just not ready for prime time."
"Biometrics of all kinds -- face, finger, voice -- are still
immature and greeted with healthy skepticism by security people,"
Penn said.
Roark has tested DigitalPersona's technology deployed at his
credit union against some common hacking methods and he has found
that the vendor's thumbprint scanners have resisted them.
Penn said fingerprinting vendors have improved their defenses
against hacking, but, he added, false positives, false negatives
and the frequent need to do multiple scans to get a good reading
remain problems.
'Passthoughts' offer new way of thinking
O'Connell said a new field of authentication software, known as
cognitive biometrics, is emerging. He believes that form of
biometric technology holds the most promise.
"People are authenticated by 'passthoughts' rather than
passwords," O'Connell said.
Cognitive biometric software learns about individual users by
asking them to tell stories about favorite memories. It can then
ask questions of the users about those memories to authenticate
users. It also tracks more subtle behavior by users, too, such as
their reaction times, the mouse movements.
Patrick Audley, CTO of Cogneto, a Vancouver, B.C.-based vendor
of cognitive biometric technology, said his product not only tracks
users' answers to questions, but it also tracks how users behave
while logged on. If the user interacts with his computer in a way,
such as moving his mouse differently, the system might flag the
user. If the user logs on from an unusual location, it might ask
for additional authentication information.
"It authenticates you on all these other variables, all the
things one cannot mimic in the way a person interacts with
technology," O'Connell said. "This is something that a person
really doesn't have to memorize. It can't be memorized."
O'Connell said the best approach for any company would be to
adopt a combination of different authentication approaches. For
instance, Cogneto has integrated some biometric reader technologies
into its software. And Cogneto's Audley said his company views its
product as a "password fortification system."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer