Security

Password chaos threatens e-commerce

Keeping track of the proliferation of passwords for networks, applications, and Web sites is enough to make the most organized person go mad. Some solutions exist, but they don't go quite far enough.


By Wayne Rash

It's bad enough when you go to Amazon.com to order a book and can't remember your username and password. But at least it's probably not mission critical; if you have to wait until Amazon sends you your reminder, you can still find something to read. When you're trying to make things flow smoothly through your company's supply chain, however, you can't afford to wait. You're ordering supplies for just-in-time delivery, and delays can cost you in a big way.

The problem is that your purchasing department has the same password chaos you have, only more of it. Each of your purchasing people may have to visit dozens of sites over the course of a week, and each site requires a username and password. To make matters worse, it's also possible that the sites and servers on your intranet require different information. There's no question that as e-commerce expands, the problem of password management needs to be solved before it becomes so complex that e-commerce becomes nearly impossible to conduct.

Internal solutions
As far as dealing with passwords (and authentication in general) internally, most companies have the tools at hand. For companies using Windows-based networks, a single sign-on feature exists with the operating system. Likewise, NetWare networks can support global authentication through NDS. However, the problem goes beyond that. Companies with mixed networks, perhaps including Windows, NetWare, and Linux or UNIX servers, need to find something more global. And none of that helps those employees who deal with external authentication.

There are products, such as P-Synch from M-Tech Mercury Information Technology, Inc., that support password management across a variety of platforms. Other solutions include password management as part of a broader security provisioning solution, such as eProvision Day 1 from Business Layers. With these products, you can set up authentication and, in some cases, permissions for employees so that they don't need to spend their time trying to remember how to access enterprise resources. All they need to do is to log on to the network.

The business-to-business problem
Unfortunately, there's no simple answer to external commerce sites. While there are some efforts afoot from Microsoft and Sun Microsystems to allow for broader authentication on the Internet, these are mostly aimed at consumer sites. They don't help much if you're trying to order a thousand high-strength stainless bolts for delivery on Tuesday. Technically, of course, you could use Microsoft's Passport internally or with selected partners in a "closed" sign-on/authentication system. Microsoft wouldn't be holding the data; but because we're talking about a group—perhaps an ad hoc group—of companies, the questions then become: Who's running the Passport operation, and who's holding the data? In this area, there are effectively no standards and no common approaches. Everybody just wants a username (for which they have varying requirements) and a password (ditto on the varying requirements).

While it's probably a good thing that these sites do have such varying requirements, at least from a security standpoint, it's also a weakness if the users can't remember how to log on to each supplier site. Why? Because they'll write the information down on a Post-it Note and stick it to the side of their monitor. They'll also choose usernames and passwords that are as similar as possible across all systems so that they have a better chance of remembering them. This, of course, is a security problem for you, because it means that anyone finding out your purchasing staff's logon information can pretend to be part of the company and buy stuff with your credit. This is not a good thing.

Fortunately, there are a few solutions. Some, such as Darn! Passwords! from Emmasoft, will recognize Web sites that require passwords and present the password to you so that you can paste it in as required. Unfortunately, anyone who has access to the computer with the product running can do this, so your purchasing staff members would have to shut down their computers when they go to lunch.

A much more secure approach is the EBP from Mandylion Research Labs. The company calls its device a "Palm Pilot for Passwords." It's a doohickey about the size of a keyless entry remote that requires a special button sequence for access. Then it provides a database of all the Web sites you access and their passwords. Even better, it generates really secure passwords that match the password requirements for each site.

Final word
While there are solutions that can help your employees cope with the password proliferation on commerce sites, these solutions do nothing to simplify the process. In that sense, the products are a half-measure at best. But, at least in the case of Mandylion, it's a very secure measure. What's needed is a new approach that can be adopted by any Web site that will authenticate necessary access. Unfortunately, that approach doesn't seem to be on the horizon.

Editor's Picks