IoT
News
News
2/25/2004
02:55 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The Password Is: Liability

A new report says passwords are the weakest link in business IT; a Microsoft-RSA partnership aims to offer help.

Passwords are the weakest link in enterprise IT. That's the message in a new report citing the security risks faced by business travelers, as well as from RSA Security Inc. and Microsoft as they unveiled RSA SecurID tokens to simplify and secure Windows logins.

In a report for network-security company Secure Computing Corp., security consultant Rodney Thayer found that business travelers run a risk of compromising their company networks when they use public Internet access points.

"There really is a risk. There are a lot of opportunities for people to gain your password," Thayer says in the report, "Remote Insecurity: How Business Travelers Risk Exposing Their Companies When Remotely Accessing Company Networks."

At an airport Internet kiosk, for example, he suggests that an attacker could install a keyboard sniffer to capture all keystrokes entered in a hidden file. Such programs are freely available over the Internet and can be easily downloaded and installed.

Thayer also tested the security at a coffee shop with commercial wireless Internet access. He says that by using available software, an attacker could capture password data, use a keyboard sniffer to capture keystrokes, or simply "shoulder surf"--watch as a user enters his or her password.

While Thayer cannot attribute specific security breaches to such tactics, he says he's aware of numerous incidents that can't be explained by anything but stolen passwords. "This isn't a risk that can be ignored," he says.

With password resets comprising 40% of help-desk calls, according to RSA, a move toward something more secure and less costly for companies starts making sense. Users frustrated with monthly password changes probably won't object.

The RSA SecureID tokens add an extra step for security: Instead of typing in only a password, users of the tokens also must enter a random number that appears on their so-called SecureID, a key-chain fob or plastic card they carry with them. The number changes every minute, generated by an algorithm that also resides on a server inside a company's computing center.

The tokens, which stem from an Microsoft-RSA agreement disclosed Tuesday at RSA's annual security conference in San Francisco, would protect Windows-based computers with the token scheme, whether they're portable or attached to a company network.

"Despite highly publicized corporate security breaches caused by individuals who have circumvented password systems," RSA Security president and CEO Art Coviello said in a statement, "many companies still rely on them for user access to desktops and the network domain."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of July 17, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.