Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, September 27, 2004

Passwords Fail To Defend Enterprises

Passwords, the dominant form of securing enterprise assets, are a failure, a research firm said Thursday.

According to the Meta Group, passwords aren’t cutting the mustard because of both organizational and user failings, as well as a lack of cost-effective alternatives.

“Enterprises are pretty frustrated with passwords,” said Earl Perkins, vice president with the firm’s security and risk strategies group.  On the organizational level, Perkins said that passwords’ failings range from enterprises wasting time creating convoluted policies to spending too little time protecting crucial applications.

On the end-user front, meanwhile, passwords are ineffective when people have too many to maintain.  But the issue with password protection isn’t just numbers, said Perkins.

“From a cultural standpoint, many individuals don’t believe the value of the password reflects the value of the assets it protects.

The solution that enterprises are looking for is a low-cost way to add strong authentication to identity management.  Among the possible additions or alternatives to passwords are such concepts as tokens, smart cards, and PKI-style services.  “But it’s going to take someone willing to drive down the price of, say, tokens to create a low-cost solution,” he added.

There are hints that that might happen as early as the end of 2004 or the beginning of 2005, Perkins said, if only because rivals of RSA, the dominant player in the identity management market with its SecureID, want to break its grip.  “If a competitor can shake that tree, things will loosen up.

One of Meta Group’s clients, for instance, wanted to deploy a token-based authentication to its entire 60,000+ employee workforce, but the price tag was simply too high.

Instead, companies tend to apply the higher-cost, but more secure, authentication to higher-value assets, such as servers, and leave passwords, as ineffective as they are, to defend other assets, like desktops.

Posted on 09/27