Plan now to beat 2007 password 'breakdown', Gartner advises

Passwords will reach the end of their useful life in as little as two years, forcing organisations to rethink the way they secure their corporate IT systems, Gartner will warn this week.

Passwords will reach the end of their useful life in as little as two years, forcing organisations to rethink the way they secure their corporate IT systems, Gartner will warn this week.

By 2007, the analyst group predicts that 80% of organisations will have reached "password breaking point" and will have to turn to more sophisticated technology to protect their systems and data.

Businesses need to put a roadmap in place now that will allow them to phase out passwords and replace them with more secure two-factor authentication, said Ant Allan, research vice-president at Gartner.

Speaking at the Gartner IT Security Summit at London's Royal Lancaster Hotel this week, Allan will warn that passwords are rapidly becoming unusable as organisations attempt to stay one step ahead of hackers.

By making passwords increasingly complex, and changing them with greater frequency, businesses are simply "rearranging the deckchairs on the Titanic," said Allan.

Complex passwords may be harder to crack, but they are still vulnerable to discovery by spyware, key loggers or social engineering attempts by hackers, he said. They also become increasingly difficult for staff to remember and use.

The current generation of two-factor authentication devices - including smartcards, biometric readers, and one-time password tokens, which typically cost £70 a user to implement and run - will be too expensive for many organisations to deploy.

Businesses are likely to turn to intermediate technologies, such as Entrust's Identity Guard, which is currently being trialled by banks and other organisations, said Allan.

The system issues each user with a unique grid of letters and numbers, which could be printed on the back of their work ID card. It verifies their identity by asking users for the letter at a set of co-ordinates on the grid.

Several UK banks are piloting similar technology to provide on-line banking customers with secure access to their bank accounts. One variant is to send a text message containing a one-time password to a customer's mobile phone when they log on.

But choosing the authentication mechanism is only part of the problem, said Allan. Organisations will need to invest in sign-on software to manage the passwords of legacy systems, while they migrate their systems towards two-factor authentication. But this should only be a temporary step, said Allan.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close