Tokens: No password to paradise

It's not uncommon for users and IT personnel to manage a bevy of passwords on a daily basis. While tokens claim to be a simple solution to this password chaos, we aren't so sure they're the best solution. Find out why.

By Wayne Rash

I shoved my salad out of the way and leaned over the lunch table to inspect the thing that looked like a purple key fob. Joe Grajewski, president of Mandylion Labs, was showing me his solution to keeping track of passwords. The device, which is intended to be carried on a key chain, has five buttons and a tiny LCD screen. You access your passwords by pressing a secret combination of the device's five buttons and then scrolling through the passwords. It's one solution to the problem of keeping up with passwords in the enterprise environment,which I mentioned in my article "Password chaos threatens e-commerce." Since then, I've heard from many readers who say they have solutions to the password management problem—so I decided to check some out.

Grajewski's device, which goes by the melodious name of the ebp lite, solves two of the problems that give IT managers headaches—that of keeping up with the list of passwords that people need in order to do their jobs and of keeping the passwords secure. You can't just fiddle with the ebp lite and find passwords, which are entered similar to how you enter text on a cell phone. If someone tampers with the device enough times, it will either stop responding or, if you want to be really secure, will erase itself.

Clearly, it's vastly more secure than those many password managers available as freeware that keep track of passwords on your computer, if only because it keeps the passwords secure, even if someone gains access to your computer. In addition, the device can generate strong passwords and remember them for you, so you no longer have to pick things you can't forget, such as Uncle Fred's middle name, as your passwords.

Tokens don't solve the password problem
But no matter how you look at it, this is still a password-only solution. In the flood of e-mails I recently received, I learned a couple of things. First, there is no apparent upper limit to the number of companies that make one or another solution to the password problem, but most of these solutions aren't really very secure. The ebp lite is an exception to that. The other thing I learned is that a number of IT departments think that you can solve the problems of passwords by using tokens. And, of course, they're wrong.

While the best of tokens look a lot like Grajewski's device, the rest seem to be either cards with magnetic stripes or smart cards. Both work within their limitations, although the mag stripe cards can suffer a wide variety of perils, from demagnetizers at music stores to some that will crack if you put them into your wallet and sit on them. Smart cards are much more secure, and they can be outfitted with a wealth of biometric information and other means of making sure that people using smart cards are who they say they are. Both types of cards require readers to be useful, and those readers aren't cheap. A few of the tokens, such as Aladdin's eToken, plug directly into the USB port on a computer. This may not solve the problem of having to remember multiple passwords, but it does ensure that the person with the password also has the token.

The problem is that a token (with a few exceptions) is a lot like your car's ignition key. If someone steals it, he or she can do anything you can do, including driving off in your car with your key, or in the instance of the token, breaking into your computer with your token. For this reason, most token-based solutions also require passwords. So how do you remember the password that the token requires? Now we're back to that same old password problem again.

Yes, there are ways around the password mess, but most of those ways are not very secure, are very expensive, or require means of security (like support for biometrics or tokens) that aren't widespread and are usually expensive.

So it looks like we're stuck with passwords for a while
Fortunately, there are things you can do. You can standardize on something like Aladdin's eToken for access to company computers. This helps avoid the problem of workers leaving their computers logged on while they're away. If your tokens are on key chains, you'll probably take them along. And you can insist on strong passwords if you have the means to make it possible for your people to remember them. And the ebp lite does that.

Together, these devices make a reasonably priced, extremely secure means of making the password mess survivable. And you won't have to worry about someone guessing Uncle Fred's middle name any more.

This document was published by ZDNet Tech Update on Feb. 22, 2002.

Share you password horror stories
We've all known users who tape their password to their screen or worse. What's your worst password nightmare? How do passwords affect your ability to provide efficient technical support? Join the discussion and share your password war stories, concerns, or advice.


Editor's Picks