Security

Password imperfect

Microsoft is leading by example in its push to ease the security risks posed by passwords.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
Staff Writer, CNET News.com

For years, Microsoft has hammered away at the security flaws in its desktop operating system. Now the company is looking to plug another security hole: weak passwords.

People tend to choose easy-to-remember passwords—which means they're easy to crack. Even complex passwords can be stolen. They've moved from a security measure to a security risk, says Microsoft Chair Bill Gates, who for the past year has been publicly urging customers to stop relying on passwords.

Last month, the software giant set an example for those customers when it kicked off a big push to adopt a second security measure for its internal networks: smart cards for every employee. By the end of 2005, tens of thousands of telecommuting Microsoft employees will be issued the cards, which will be required to log on to the company's networks.

"Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this," Gates told attendees at the IT Forum in Denmark last month. "In time, we will completely replace passwords."

Doubling down on security

The smart card Microsoft is adopting is not the only option for companies looking to add security to their network login.

Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET News.com

This isn't the first time Microsoft has got behind smart cards as a second line of protection for businesses. But this time, companies have already been sold on security. Organizations have been made more aware of the danger of passwords by a new set of concerns, such as the terrorist acts of Sept. 11 and Enron-inspired regulations that require companies to account for information security.

To help lock down their networks, many companies are moving to centralized servers for handling the authorization of people attempting to access a network—whether employees entering a corporate system or shoppers logging in to an e-commerce site. These identity management systems make network management more simple, but they also put the most valuable network data in a single place—guarded by a password.

A simple system of a log-on name and a password, no matter how complex, cannot guarantee that an unauthorized user will be prevented from getting access to critical systems.

Passwords chosen by an individual are generally very easy for a machine to guess. Common variations are: a word followed by numbers, two words together, or a word with a number replacing a letter. All can be broken within minutes by the latest password-cracking programs.

"Any password that we can expect people to remember can be brute-forced," said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security.

Consumers are worried as well. Phishing attacks—scams that use e-mail messages and fake Web sites to fool victims into giving up personal information—will likely cost home users between $150 million and $500 million, according to two estimates. In addition, surveys of home PCs have found as many as 80 percent infected with spyware—software that surreptitiously reports on a computer user's habits and data.

Both trends highlight a major problem with passwords: Even the best password can be stolen. A digital thief armed with the password would likely appear to be the legitimate system user.

The solution, security experts say, is to use two checks to protect systems—what's known as two-factor authentication. This combines a security device that people need to keep with them—such as a smart card—with a password or secret personal identification number, or PIN to protect against unauthorized access.

Such security is routinely used by the military and by government agencies. The U.S. Department of Defense has rolled out a Common Access Card to most personnel, and the Transportation Security Administration has started prototyping its Transportation Workers Identity Card and hopes to have the smart cards issued to 200,000 cargo and transportation workers by June 2005.

In its case, Microsoft hopes to tackle the insecurities posed by more than 60,000 employees and contractors who connect to its network through 175 different remote access points worldwide. That kind of implementation can be expensive, costing companies tens of dollars per employee. Centralized identity management systems cut costs and add security. For the most part, two-factor authentication just adds cost, said Charles Fitzgerald, Microsoft's general manager of platform strategies.

"The move we made was driven by a security perspective, not an operational-cost perspective," he said.

In its internal push, Microsoft is piloting its own technology: It's using .Net-enabled smart cards provided by Axalto, formerly known as Schlumberger. That puts .Net, Microsoft's software platform for running software on any device, back into competition with Sun Microsystems' JavaCard software for smart cards.

The smart-card push comes after Microsoft has made a few missteps in the identity management arena. Its pint-size Windows CE for Smart Cards operating system failed to attract developers. On top of that, its Passport service, a foray into online consumer identity management, did not win over enough service providers to become useful.

Fears about e-commerce fraud are adding momentum to the smart-card drive. The password issue is a lurking iceberg, and e-commerce sites, financial institutions and other large companies have only seen the tip of it, said Perakash Ramamurthy, vice president of products and technology for Oblix, a maker of identity management systems. Consumers and employees have multiple accounts holding personal information, and an attacker only has to find the one with the weakest security.

"Identity is one thing that is being duplicated," Ramamurthy said. "And when you have that information more than once, you have a security hole."

For the moment, Microsoft's plugging of that hole in it internal systems is not being carried over to its technology for consumers. People with password worries will have to wait and see whether the company puts any provisions in place in its software.

"Enterprises are more willing to invest to solve the problems," Microsoft platform strategist Fitzgerald said. "On the consumer side, I am not saying that we are doing nothing in that space, but the things that we have talked about over the last few weeks have little to do with consumers."

Editor's Picks