The Password Is: Liability

A new report says passwords are the weakest link in business IT; a Microsoft-RSA partnership aims to offer help.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 25, 2004

2 Min Read

Passwords are the weakest link in enterprise IT. That's the message in a new report citing the security risks faced by business travelers, as well as from RSA Security Inc. and Microsoft as they unveiled RSA SecurID tokens to simplify and secure Windows logins.

In a report for network-security company Secure Computing Corp., security consultant Rodney Thayer found that business travelers run a risk of compromising their company networks when they use public Internet access points.

"There really is a risk. There are a lot of opportunities for people to gain your password," Thayer says in the report, "Remote Insecurity: How Business Travelers Risk Exposing Their Companies When Remotely Accessing Company Networks."

At an airport Internet kiosk, for example, he suggests that an attacker could install a keyboard sniffer to capture all keystrokes entered in a hidden file. Such programs are freely available over the Internet and can be easily downloaded and installed.

Thayer also tested the security at a coffee shop with commercial wireless Internet access. He says that by using available software, an attacker could capture password data, use a keyboard sniffer to capture keystrokes, or simply "shoulder surf"--watch as a user enters his or her password.

While Thayer cannot attribute specific security breaches to such tactics, he says he's aware of numerous incidents that can't be explained by anything but stolen passwords. "This isn't a risk that can be ignored," he says.

With password resets comprising 40% of help-desk calls, according to RSA, a move toward something more secure and less costly for companies starts making sense. Users frustrated with monthly password changes probably won't object.

The RSA SecureID tokens add an extra step for security: Instead of typing in only a password, users of the tokens also must enter a random number that appears on their so-called SecureID, a key-chain fob or plastic card they carry with them. The number changes every minute, generated by an algorithm that also resides on a server inside a company's computing center.

The tokens, which stem from an Microsoft-RSA agreement disclosed Tuesday at RSA's annual security conference in San Francisco, would protect Windows-based computers with the token scheme, whether they're portable or attached to a company network.

"Despite highly publicized corporate security breaches caused by individuals who have circumvented password systems," RSA Security president and CEO Art Coviello said in a statement, "many companies still rely on them for user access to desktops and the network domain."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights