Oil giant drops passwords in favour of smartcards

ChevronTexaco has embarked on a multimillion-pound project to improve security by replacing passwords used to access company...

ChevronTexaco has embarked on a multimillion-pound project to improve security by replacing passwords used to access company networks with smartcards and smart tokens.

The multinational oil company will complete the replacement for its 70,000 employees worldwide by the of the year.

The introduction of Schlumberger smartcards and RSA smart tokens, which was sanctioned as a priority by ChevronTexaco's board of directors, will significantly improve the security of the company's internal information and slash the cost of helpdesk support.

The company typically has to reset between 2,000 and 4,000 passwords a month.

"Passwords are easy to crack. Using off-the-shelf software we found we could crack passwords within hours for weak passwords or days for more complex ones. The executive committee understood there was a problem. We did not have to sell the idea too hard," said Edmund Yee, who is responsible for major projects at the ChevronTexaco IT Company.

One of the challenges that faced ChevronTexaco was the need to develop a secure log-on system that would be capable of working in remote parts of the world that could only be networked through low-capacity satellite data links, Yee said.

"It is a very challenging project. It touches a lot of our infrastructure. We have to make sure applications will work with it and that information and security policies are in line," said Yee.

The company worked with Schlumberger and RSA Security to develop a smartcard management system that could provide new employees with network access, control the issue of digital signatures, and control access to ChevronTexaco's applications.

IT staff also had to work with suppliers to re-write and modify applications to replace password access with access through smartcards and smart tokens.

ChevronTexaco's own staff will be issued with Schlumberger 32k Java smartcards fitted with a proximity sensor to allow them to log on to desktop PCs equipped with a remote card reader.

The company will issue RSA secure tokens, which generate one-time passcodes for business partners and staff who need to access its system through their own computer equipment.

Read more on Hackers and cybercrime prevention