Freely subscribe to our NEWSLETTER

A number of high profile cases have highlighted what can happen when passwords are misused. In 2007 TJ Maxx admitted that hackers had stolen credit and debit card numbers from the company over an 18 month period putting over 45 million customers at risk. The security breach, which cost the firm an estimated $4.5 billion, was put down to TJ Maxx’s failure to secure its network from attack. A TJ Maxx employee later revealed the shocking extent of the company’s lax security, claiming employees were able to log on to company servers with blank passwords and passwords and usernames were written on post-it notes.

More recently, in July 2008, the City of San Francisco discovered that a disgruntled network administrator had reset all administrative passwords to the routers for the city’s FiberWAN network and locked all his colleagues out. The rogue employee refused to hand over the new passwords, causing an expected eight-week delay in regaining network control.

Users: the weakest link

But even happy, satisfied employees can create huge password problems just by following basic human instincts. When given the freedom to choose their own passwords users will go for easy-to-remember “obvious” choices. Most people will use their birthday, name, or some combination of the two because it’s the first thing that comes to mind – and far easier than taking the time to think up a complex password. Their very simplicity and obviousness however make them easier to hack and therefore provide a fairly low level of security.

In addition, lazy users tend to pick the same password, or a close variation of it, for every application on their desktop. This might reduce the complexities faced by the IT department, but computer hackers are well aware of the phenomenon – routinely relying on it to breach security systems through passwords derived from easy-to-discover personal data. The alternative – more complex passwords – is also fraught with problems. Although hackers have a tougher time figuring them out, users often forget them.

Broadly speaking, there are two types of users: those who write down their passwords, and those who don’t. The latter rely on memory for password recall, the performance of which declines in direct proportion to both the complexity and number of passwords. This results in frequent calls to the help desk for password resets, which industry analysts estimate cost £10 to £20 per call for IT support alone. Added to that figure is the cost of lost productivity as the user waits for a new password to get back into the application he needs. If each user in a company of 10,000 employees makes one password reset call to the IT help desk per month, and the cost is £10 per call, the annual password reset bill comes to over £1 million a year.

As for those users who write down passwords, they naturally do it in easily remembered places: an index card in the top desk drawer, a sheet of paper taped to the cubicle wall, or a sticky note on the side of the PC monitor. It’s a gift for unauthorised users, who pirate these passwords for illicit network access with almost no effort at all.

The rise of the profit-turning hacker

If employees are one source of weakness, then deliberate malicious attacks are another. In addition to the kudos that drove many ‘old-school’ hackers, there is now money to be made from cracking passwords and infiltrating systems. If a firm is unfortunate enough to be the victim of a hacker who is prepared to put the work in, then even memorized and complex passwords are vulnerable. Hackers will call unsuspecting users, pretending to be computer support staff, and ask for the password. Or, the hacker will call the help desk, pretending to be a user who forgot his password.

In addition, many desktops allow Windows to fill in password data automatically. If the passwords for individual applications are stored on the desktop in unsecured cookies, then spy-ware, worms, and other malicious code can easily steal account information, including log in details and passwords.

The more advanced cyber-thieves have access to a wide range of “password crackers” with software specifically designed to decipher passwords: applications like John the Ripper, Brutus, and Russian Password Crackers are becoming increasingly common. Phishing is another common and profitable method for stealing passwords.

However, the underlying problem with passwords and the weakness that every hacker exploits, is that they do not fulfil the fundamental requirements of IT security. To protect systems each user should have an identifier that is unique to him. But no password or PIN really meets that requirement: anyone who possesses that password or PIN can get into the system.

The Holy Grail of passwords: Enterprise Single Sign-on

The solution to the password problem is not to eliminate passwords but to eradicate the need for users to remember them, as this instantly removes the majority of problems associated with password management. This approach, known as enterprise single sign-on (ESSO), enables users to sign onto the network once with a single password. Once signed in, those users can access all their applications - without having to remember or enter another set of details each time. Instead, the passwords are served to the applications automatically by the ESSO system.

ESSO has often been seen as too costly and labour-intensive to ever be truly attainable in large enterprises, and this was certainly the case with the first generation of single sign-on solutions. However, the software has moved on and industry-standard sign-on platforms upon which an enterprise can build a full suite of single sign-on solutions that address all their password-related requirements are now available.

With the new generation of ESSO platforms users no longer need to remember individual passwords. The human memory factor is removed so passwords can be made complex – as complex as the logic of the individual application permits. IT security experts have long argued for passwords to have at least eight characters, at least one number, and at least one special character and to combine upper and lower case letters – with ESSO that now becomes a possibility.

By generating all application credentials randomly and automatically, they can also be made as complex and changed as frequently as the application permits, This provides a much higher level of security, since they are nearly impossible for unauthorised users to discover. With a different, complex credential for each user and each application, systems are more difficult to breach, and data is more securely locked down.

Indeed, implementing ESSO across an organisation eliminates most of the problems associated with traditional password use: lost or forgotten log-in details, increased productivity, lowered support costs, reduced programming costs and improved network security. Furthermore it aids compliance with the Sarbanes-Oxley Act and the Data Protection Act, and other regulations requiring data to be kept private, confidential, and secure.

The Death of Passwords

The easiest way to calculate the ROI of freeing the user from password complexity is to measure the reduction in password reset calls to the help desk. Experience and analysis over the last ten years shows that as much as 40 per cent of help desk calls may be password related. At the world’s largest enterprise, the United States Postal Service, implementing ESSO saved the organisation millions of dollars a year in reduced support calls. Most organisations experience payback in less than six months, and triple-digit ROI after three years.

With the new generation of ESSO, eliminating passwords is no longer a pipe dream. Backed up by two-factor authentication, to add extra layers of security, it allows organisations to adopt password best practice: application-specific, frequently changed and complex. The password problem could soon be over.