Password chaos threatens e-commerce
The problem is that your purchasing department has the same password chaos you have, only more of it. Each of your purchasing people may have to visit dozens of sites over the course of a week, and each site requires a user name and password. Worse, it's also possible that the sites and servers on your intranet also require different information. There's no question that as e-commerce expands, the problem of password management needs to be solved before the it goes from its current level of chaos to something so complex that e-commerce becomes impossible to conduct.
As far as dealing with passwords (and authentication in general) internally, most companies have the tools at hand. For companies using Windows-based networks, a single sign-on feature exists with the operating system. Likewise, NetWare networks can support global authentication through NDS. However, the problem goes beyond that. Companies with mixed networks, perhaps including Windows, NetWare and Linux or Unix servers need to find something more global. And none of that helps those employees who deal with external authentication.
There are products, such as P-Synch from M-Tech Mercury Information Technology, Inc. that support password management across a variety of platforms. Other solutions include password management as a part of a broader security provisioning solution, such as eProvision Day 1, from Business Layers. With these products, you can set up authentication and in some cases, permissions for each employee, so that they don't need to spend their time trying to remember how to access enterprise resources. All they need to do is to log on to the network.
Unfortunately, there's no simple answer to external commerce sites. While there are some efforts afoot from Microsoft and Sun to allow for broader authentication on the Internet, these are mostly aimed at consumer sites. They don't help much if you're trying to order a thousand high-strength stainless bolts for delivery on Tuesday. Technically, of course, you could use Passport internally or with selected partners in a "closed" sign-on/authentication system. Microsoft wouldn't be holding the data; but because we're talking about a group--perhaps an ad hoc group--of companies, the questions then becomes: who's running the Passport operation, and who's holding the data? In this area, there are effectively no standards and no common approaches. Everybody just wants a user name (for which they have varying requirements) and a password (ditto on the varying requirements).
While it's probably a good thing that these sites do have such varying requirements, at least from a security viewpoint, it's also a weakness if the users can't remember how to log on to each supplier site. Why? Because they'll write the information down on a Post-it Note and stick it to the side of their monitor. They'll also choose a user name and password that's as close as possible to being the same across all systems so they have a better chance of remembering it. This, of course, is a security problem for you, because it means that anyone finding out your purchasing staff's log-on information can pretend he or she is part of the company, and buy stuff with your credit. This is not a good thing.
Fortunately, there are solutions. Some, such as Darn! Passwords! from Emmasoft, will recognize Web sites that require passwords, and present the password to you so that you can paste it in as required. Unfortunately, anyone who has access to the computer with the product running can also do this, so your purchasing staff would have to shut down its computers when it goes to lunch.
A much more secure approach is the EBP from Mandylion Research Labs. The company calls its device a "Palm Pilot for Passwords." It's a doohickey about the size of your keyless entry remote--the item you carry on your keychain that can lock your car from outside--that requires a special button sequence for access. Then it provides a database of all the Web sites you access, and their passwords. Even better, it generates really secure passwords for each site that match the password requirements for that site.
So at least there are solutions that can help your employees cope with the password proliferation on commerce sites. Unfortunately, these solutions do nothing to simplify the process. In that sense, the products are a half-measure at best, but at least in the case of Mandylion, it's a very secure measure. What's needed is a new approach that can be adopted by any Web site that will authenticate necessary access. Unfortunately, that approach doesn't seem to be on the horizon.
Have you found a solid strategy for managing your passwords? Email us at Tech Update or talk back below.