Companies urged to move beyond passwords

In today's security climate, passwords are apparently no longer enough to guarantee user authentication

Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, according to a Gartner analyst.

Speaking at the Gartner IT Security Summit in London on Wednesday, research vice-president Ant Allan warned that "passwords are no longer adequate as threats against them increase."

Those emerging threats are intimately linked to emerging technology, such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.

The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, Gartner research vice-president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."

The future of authentication is "something stronger", according to Allan. "RSA security tokens, smart cards, and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.

Some security experts have been urging companies to use two-factor authentication — where users present a second form of identification as well as their password — for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

"We are finding that European companies are more accepting of the higher cost of these solutions, while the US back away because they don't want to burden users [with complex procedures]," Allan said.

Less expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.

Colin Thompson, vice-president of enterprise sales for security company Aladdin, agrees that companies will need to start tying in some kind of physical ID with digital ID.

"To access your bank account you need a bank card and PIN. If you lose that card you know your security has been compromised. We need some kind of smart card or certification because individual users in companies are still at risk," he said.

"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."

The risk of passwords being compromised is becoming greater and greater, according to John Girard, another Gartner analyst, because it's becoming easier to download tools that will crack them.

"The 'Magical Jellybean' tool is downloadable, and will find your licence key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.

"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.

The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, according to Girard.