Ending the age of the password

IT directors face the constant challenge of giving the business enough flexibility to access IT however, wherever and whenever...

IT directors face the constant challenge of giving the business enough flexibility to access IT however, wherever and whenever end-users need to, while keeping out intruders.

Meanwhile, hackers are using ever more devious means of capturing personal information. Corporate users and consumers face a daily barrage of spoof websites, keystroke-logging programs and viruses that steal credit card details and Pin codes.

Microsoft chairman Bill Gates believes this criminal undercurrent will undermine the success of new types of internet services by reducing the number of people prepared to buy them. It is no wonder Microsoft is spending more than £1bn a year on security research and development.

But however much secure technology progresses, the weakest link remains the end-user. Time and again end-users open and run suspect e-mail messages and download free programs, in spite of corporate IT security policies which advise against such practices.
How often do people change their passwords? More often than not, a single password is used to log into any and all online services: the same one for online banking is used to do online shopping and access Hotmail, Yahoo e-mail, eBay - and the corporate network.

The high security required for online banking has meant users have to remember extremely long passwords, mixing numbers and both upper- and lower-case letters. Logging-in processes require them to type in specific characters from the full password. But the more complex the log-in process, the less likely it is to be successful. Moreover, the password itself is usually written down next to the computer, making PC theft a particularly expensive crime. Let's face it, the password has had its day.

At last week's RSA Security Conference in San Francisco, oil giant Chevron Texaco revealed that it is replacing passwords. Staff will be issued instead with a smartcard equipped with a proximity sensor to allow them to log into the corporate network.

Another option is the so-called "one-time password" favoured by the military. If a password can only be used once, a hacker has no chance to copy it. Security supplier RSA is working to develop an industry standard around this idea.

It is early days and many questions remain. Will such a system ever be user-friendly? Unless it is a no-brainer, people will stick with their passwords.

But whatever the outcome, our industry desperately needs to develop an easy way to provide secure access to systems.

Read more on IT risk management