Beyond Passwords Part 1: Stronger Authentication

By Lisa Phifer | Posted April 14, 2005

Today, many small businesses rely on passwords to keep their company and customer data secure. Although passwords do offer a certain amount of protection, stronger and more effective options exist that can significantly improve your company's data security.

Many companies enforce password length, complexity and update rules believing that passwords with more than seven alphanumeric characters take much longer to brute-force crack than do shorter, simpler passwords. While this is true, the actual time required to guess passwords with cracking tools like L0phtCrack and John The Ripper can be far less than you imagine

Do your employees have to contend with a cumbersome password system — dozens of passwords, defined independently, with conflicting rules regarding complexity, update and reuse? It's human nature to pick passwords that are easy to remember, like birthdays or names of a spouse, child, pet or sports team.

To satisfy complexity rules, many employees define passwords with a convention, like appending one digit to the same base string. These common practices can make passwords relatively easy to guess in just minutes using dictionary or partial-knowledge attacks.

For most people, remembering a complex password longer than seven characters means writing it down it somewhere — like on a post-it note that could easily fall into the wrong hands. Some people save passwords in e-mail folders or files, but an unprotected password list is a security incident waiting to happen. Encrypted password "safes" are far better, but even those programs often depend upon one password to unlock the rest.

No matter what their length, passwords are easily compromised through what's called social engineering. In the past, attackers would pose as tech support, calling people to assist with bogus problem resolution and, in the process, request their passwords. Today, attackers flood mailboxes with spam that phishes for passwords by luring people to phony Web sites where they are prompted to "confirm" their account parameters.

For these and many other reasons, password authentication provides a weak foundation for authorization and access control. Putting a weak password in front of an otherwise secure server, firewall or VPN service is like putting a screen door on a bank vault. ISPs can reduce their own risk — and grow customer confidence — by employing stronger authentication methods.

Exploring The Alternatives
More secure authentication methods have been readily available for many years, including tokens, smart cards, digital certificates and biometrics. While these methods vary in complexity, cost and strength, all share a common goal: letting a person demonstrate that he is who he claims to be through one or more factors.

Authentication factors may include:

  • Something you know, like a password or personal identification number (PIN)
  • Something that represents who you are, like a finger, face, iris, or voice scan
  • Something you have in your possession, like a hardware token or smart card

Credentials that you know — like passwords and PINs — are widely used because they're cheap and easy to set up. Passwords are free, you can generate them without assistance, and just about every operating system and client/server protocol includes password authentication. In fact, the only significant operational expense is password reset/recovery.

According to Burton Group and Gartner studies, password resets represent 30 percent of all help desk calls. The META Group estimates that each help desk call costs $25. Clearly, password authentication's "hidden cost" can really add up. You may be spending more than you realize for a solution that's relatively weak.

Even so, stronger credentials not only cost more, they're more difficult to implement than plain old passwords. Depending on the credentialing you choose, you could pay for:

  • Material costs: for USB tokens, biometric scanners
  • Distribution costs: process required to initialize credentials and bind them to individual identities.
  • Infrastructure costs: for purchasing, installing and maintaining new authentication servers and databases.
  • Replacing lost or broken hardware: not as often as password resets, but at a higher per-incident cost.

Why go to this trouble and added expense? Because you get what you pay for. These stronger authentication alternatives are virtually immune to social engineering and password crackers. While employees can easily share passwords, tokens and biometrics are very difficult to abuse in that fashion. Unlike passwords, you don't need to update these credentials at regular intervals to avoid compromise. Although you may need to education your employees at the first, they're likely to find the stronger credentials easier to use (and remember and store) than long, complex and frequently changed passwords.

If you're looking for added security, it's safer to combine two or more factors. For example, employees are often required to enter a simple PIN when authenticating by token. If a keystroke logger captured the employee's PIN, that PIN won't work without the corresponding token. Conversely, if you leave a token in a hotel room, it's little more than colorful piece of plastic without your PIN. Two-factor authentication solutions like this are routinely employed by many security-conscious organizations.

Show Me The Money
If you choose two-factor authentication, your services and systems will be better protected against unauthorized access and resulting theft or attack. But financial savings associated with improved authentication are notoriously difficult to quantify — after all, how do you measure the potential cost of something that didn't happen?

Consider this example: According to the 2004 CSI/FBI Computer Crime and Security Survey, four out of 10 organizations experienced unauthorized access to information last year, resulting in an average loss of $42,000 per survey respondent.

SMB owners need to evaluate their situation to determine exactly what kind of and how much credentialing security they need. Consider the industry you're in and the type of data you handle. Do you need to meet state or federal compliance standards, such as HIPAA, Sarbanes-Oxley or SEC regulations? Do your customers rely on you to keep their personal information private? Can you afford the financial impact of a security breach?

Consider these factors when looking at your options. You may find that bolstering your authentication security lets you — and your customers — sleep better at night.

Coming tomorrow, Part 2: Implementing The Vision.

Adapted from isp-planet.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date