02:55 PM
Connect Directly
Online Event: Top 4 DevOps Discoveries in 2015
Feb 25, 2016
As business technology becomes increasingly software-centric, optimizing the collaboration between ...Read More>>

The Password Is: Liability

A new report says passwords are the weakest link in business IT; a Microsoft-RSA partnership aims to offer help.

Passwords are the weakest link in enterprise IT. That's the message in a new report citing the security risks faced by business travelers, as well as from RSA Security Inc. and Microsoft as they unveiled RSA SecurID tokens to simplify and secure Windows logins.

In a report for network-security company Secure Computing Corp., security consultant Rodney Thayer found that business travelers run a risk of compromising their company networks when they use public Internet access points.

"There really is a risk. There are a lot of opportunities for people to gain your password," Thayer says in the report, "Remote Insecurity: How Business Travelers Risk Exposing Their Companies When Remotely Accessing Company Networks."

At an airport Internet kiosk, for example, he suggests that an attacker could install a keyboard sniffer to capture all keystrokes entered in a hidden file. Such programs are freely available over the Internet and can be easily downloaded and installed.

Thayer also tested the security at a coffee shop with commercial wireless Internet access. He says that by using available software, an attacker could capture password data, use a keyboard sniffer to capture keystrokes, or simply "shoulder surf"--watch as a user enters his or her password.

While Thayer cannot attribute specific security breaches to such tactics, he says he's aware of numerous incidents that can't be explained by anything but stolen passwords. "This isn't a risk that can be ignored," he says.

With password resets comprising 40% of help-desk calls, according to RSA, a move toward something more secure and less costly for companies starts making sense. Users frustrated with monthly password changes probably won't object.

The RSA SecureID tokens add an extra step for security: Instead of typing in only a password, users of the tokens also must enter a random number that appears on their so-called SecureID, a key-chain fob or plastic card they carry with them. The number changes every minute, generated by an algorithm that also resides on a server inside a company's computing center.

The tokens, which stem from an Microsoft-RSA agreement disclosed Tuesday at RSA's annual security conference in San Francisco, would protect Windows-based computers with the token scheme, whether they're portable or attached to a company network.

"Despite highly publicized corporate security breaches caused by individuals who have circumvented password systems," RSA Security president and CEO Art Coviello said in a statement, "many companies still rely on them for user access to desktops and the network domain."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.