Along with the spread of services on the Web and elsewhere has come the proliferation of passwords. We’re awash in them – passwords to access our computers, various e-mail accounts, social networks, financial institutions, wireless networks and more.
Some in the security world think that we rely so much on passwords for security that they’ve become a liability; people have to generate so many tough-to-remember access codes that they are resorting to using the same ones repeatedly, compromising the system.
Regardless, we can be sure of this much: as mobile computing becomes even more a way of life, we’ll be inundated with more and more passwords. Someone or something will have to help us manage them all. I chatted with Stephane Fymat, Vice President of Sales Operations and Product Management at password management company Passlogix, to get his company’s view of the landscape. Below is an edited IM transcript.
Fortt: Can you lay out for me what you see as the problem with passwords today?
Fymat: Okay. The main problem is that the number of passwords per user is increasing dramatically because of the proliferation of applications and Web-based services, all of which have their own ID’s. The burden falls on two sides: the user, who must remember them all; and the help desk administrator, who must assist the user when he or she forgets the password.
Users try to make their lives easier wherever possible, and do so by trying to harmonize the passwords wherever possible. Some statistics for you: A majority of users have more than six passwords. A third of them more than 15. And IT administrators up to 100.
About a sixth of them will change their passwords once a year – the rest never, if not forced to do it.
Fortt: I’m sure every computer user can relate to the problem. So what are people doing to adapt to the password crunch, aside from using the same ones over and over, and having their browsers automatically fill them in?
Fymat: Users, meaning end-users, can’t do that much more than what you just mentioned. Organizations, on behalf of users, can implement policies and software tools to ease the burden. One thing that users can do is, instead of making the passwords all the same, pick a common rule, that generates complex passwords, and keep the rule private.
Fortt: What’s an example of that? I can’t imagine that helps the problem that I can’t remember the difference between my Gmail password and my Yahoo password.
Fymat: For example, let’s say I have an Outlook account, and my middle name is John. I might make a rule that is: 1st 3 letters of the application name + my middle name + 2 numbers of the month, so “outjohn11”
Fortt: Aaahh ….
Fymat: And so, for salesforce.com, it could be saljohn11.
Fortt: So, given that there are solutions like those, what’s Passlogix’s philosophy on dealing with this problem?
Fymat: Well, since we develop software tools, our philosophy is that you need a tool that solves this problem. The reason is you need to solve “the whole problem” not just the password composition piece of it.
Fortt: So how do your tools attack it?
Fymat: Mainly, we do two things: 1) We remember people’s passwords so they don’t have to – we keep them in an encrypted directory or database entry. And 2) we automatically type them into the application so users don’t have to. Of course, we do more than that. We automatically change them, we automatically learn them from the administrator, etc.
Fortt: Do people have to be connected to their corporate networks for the solution to work?
Fymat: No. Our software will work when online, or disconnected, such as on a laptop in a plane.
Fortt: On the surface, it seems that any password aggregation solution like this inherently compromises security. The more unique authentication factors the better, right? How do you answer that criticism?
Fymat: Yes, you’re right, on the surface, it seems that I’ve aggregated everything underneath one “key to the kingdom,” and created a central point of weakness. However, under the surface, it gets much more interesting. If we look at what users are already doing, they are already making their passwords the same everywhere they can. So in fact, if I have 10 applications with a user doing this, I still only need to crack one password to gain access to many, if not all 10 of the applications.
Also, if you look at the actual math behind it, it’s even more interesting. For a user who picks an eight-character password, all letters, a hacker basically has 52 ^ 8 attempts to make to crack the password (actually 1/2 that if it’s random). So if he has to crack 10 passwords, it’s 10 x 52 ^ 8.
If I put everything under a software tool such as ours, we can raise the length and complexity to say 15 characters per application, which is much, much more difficult to crack. And the one remaining password, tell users it needs to be say, 10 characters, letters and numbers. That’s:
(52 + 10) ^ 10 = 62 ^ 10 or 62 ^ 10 combinations vs. 52 ^ 8
The bottom line is, it’s hundreds of times more difficult to crack. A hacker won’t bother.
Fortt: So you’re saying it is a key to the kingdom, but it’s more difficult to crack by orders of magnitude.
Fymat: Yes. Of course, some companies still aren’t convinced. So, they put a smart card or biometric as the key to their kingdom.
Fortt: I’m still playing devil’s advocate (because that’s what we’ve got to do in security conversations, right?). Unless companies do what you mention, and combine your solution with a smart card or biometric system, it seems like they’re opening themselves to hackers who might use social engineering to figure out that 15-character key.
Fymat: Social engineering is equally applicable in both scenarios. And now that you ask the question, and I’m thinking about it, I’m not so sure it’s as easy in both. I can trick you into telling me your mother’s middle name, etc. But, how do I trick you into revealing a complex code that has no other use (e.g. to verify your credit card account, etc.)?
Fortt: It’s tougher to do, true. But the real hacker pros have built their reputations on figuring out exactly that. Kevin Mitnick is a prime example.
Fymat: Yes, it’s true. Any knowledge-based authentication has this risk. You can mitigate against it with frequent password changes, detecting patterns in who’s logging on where, etc.
It often becomes a discussion of how much security increase are you looking for vs. how much do you want to spend?
Fortt: Does your solution help detect those patterns? It seems that simplicity is at the core of the Passlogix pitch, and passwords and pattern detection could add a lot of complexity unless they’re implemented right.
Fymat: We can correlate logon events and logon failure attempts for those application we log on to, but in our case, we trust the front door logon (which is typically your logon to Windows), so we don’t really track that. That’s for the Windows security monitoring tools to do.
Fortt: Well, we can only hope that Windows security is a lot better in the latest Vista release. A lot of people feel like “Windows security” is a bit of an oxymoron.
Fymat: Yes, we hear that all of the time. We do need to keep in mind however, that even with a password-based “key to the kingdom,” we are typically still increasing the overall strength of all password-based logons significantly: application passwords are complex and no longer known by the user and the main Windows password can be longer and changed more frequently. In the “real world” the hacker’s job becomes much, much more difficult.
Fortt: Indeed, a pragmatic approach. What future directions is Passlogix thinking about, as it tries to simplify the security problem for businesses?
Fymat: We have several directions we are currently pursuing.
First is bridging strong authentication to all legacy applications. Many companies want to use smart cards, biometrics, RFID badges, etc. as the sign-on to the network and the applications. To implement that within the applications, you’d have to rip them open and recode them to accept that authentication. However, we who specialize in logging on to all applications (called enterprise single sign-on, by the way), can accept that strong authentication as the front door, and transparently bridge that to all of the applications – mapping that strong authenticator to the legacy ID/password if you will.
Second is deeper integration with what are called identity management solutions.
Fortt: Can you define “identity management solutions” for the laymen?
Fymat: Identity management is concerned with a user’s identity and how it maps to all of the different ids/passwords they have, allowing companies to automate creation/termination of application access from one central point. The problem is, how do you know which user has what access? Answer is, that we do, since we collect all that information from the users. So, we are a natural complement.
A third area where we are focusing is “credential management systems,” or in more conventional language, how to easily issue and revoke smart cards, RFID badges, etc. from users from one central point.
Fortt: So basically, you’re trying to create a control panel from which businesses can see who has access to what, and turn privileges on and off?
Fymat: We, together with “identity management” vendors are doing that, yes. So for us, those vendors are typically IBM, Oracle, Sun and BMC.
Fortt: How long do you think it will be before we’ve got a truly great system for centrally managing passwords?
Fymat: Well, I’d say the we, Passlogix, have it today. Of course, we continue to improve our products. However, I will tell you, in all forthrightness, that the question of what is the “killer” strong authentication device is still up for debate.
Fortt: Well, it’s been a fun chat about the challenges, and I’ll be watching Passlogix to see what else you come up with!