Boardroom
Aladdin Knowledge Systems

THE PROBLEM WITH PASSWORDS
Yanki Margalit
Chairman and CEO
Aladdin Knowledge Systems, Ltd. (Nasdaq:ALDN)

Security in general – and the authentication of users in particular – are critical components in enabling business and protecting sensitive corporate information. Today, passwords are the primary tool for user authentication – a term which essentially means “are you who you say you are?”

Once, access to important applications was given via passwords as easy as open sesame. But in the Internet age, granting access via phrases can be the harbinger of bad news.

Why a Password Isn't Good Enough
Unfortunately, passwords come with their own set of issues. Passwords can be easily stolen, lost, shared or cracked. Due to the need to manage multiple passwords and to ensure the effectiveness of passwords used, organizations have adopted stringent password policies. This has translated into more complex passwords and consequently, made them more difficult to remember. “Passwords remain a fundamental security weakness," Gartner wrote in a recent report on system security, noting that this was "regardless of the strength of the password policy.”

(Gartner Report, “Assess Authentication Methods for Strong System Security," August 2004)

The human factor plays a major role in password effectiveness. ATMs, the web, cell phones, PCs – the need to authenticate never ends. To cope, users are writing their passwords down, leaving them lying around here and there, or using obvious passwords. It comes as little surprise that for his/her computer alone, a typical user can have more than ten passwords! In any case, chances are that most computer users are actually compromising the security they were meant to improve – rather than being the guardian of the gateway they once were, passwords today frequently become the key to unsecured access.

And that's without considering the crackers. Whether for kicks, or for profit, they're out there, looking for ways in. As Gartner boldly put it in another recent report, "Passwords are no longer good enough for PC security." Computer capabilities have advanced so much, they say, that what once were "strong passwords" are now falling victim to "inexpensive computer cracks."

One method of password cracking is called a “brute force” or “dictionary” attack. In this type of attack, a computer runs all possible password combinations until it finds one that matches the password's "hash," or the signature into which it has been encoded and encrypted.

A lost or stolen PC or laptop can give crackers access to a lot more than just what is on that specific computer. Gartner notes that it is a real possibility for crackers to extract administrator passwords from PCs, theoretically opening access to other systems within the IT infrastructure.

Another issue is cost. Not only are passwords unsecure, they are also expensive to manage. Dealing with a user forgetting his/her password(s) may seem minor, but in actuality, it is no matter of chump change – a 1,000 employee organization can spend $150,000 a year or more on password-related help desk calls.

So, What's a Security-Minded Enterprise to Do?
There are, according to Gartner, two basic recommendations for increasing security while reducing password issues:

Utilize Strong 2-Factor Authentication: Combine passwords or PINs with another authentication method, such as a hardware token.

Implement Password Management: Avoid or at least alleviate technical and procedural weaknesses by using a comprehensive password management system.

(Gartner Report, “Assess Authentication Methods for Strong System Security,” August 2004)

When we say strong authentication, what exactly is it that we're talking about?
Authentication itself is composed of two steps: a user asserts his identity, by providing a user name or other ID; then, the user provides authenticating information, such as a password, which the system recognizes.
 

But authenticating information does not necessarily have to be in password form, though that is most commonly used. Following are the common “factors” of authentication:

        • Something you know – e.g., a password or PIN.

        • Something you have – e.g., an ATM card, smart card, or hardware token.

        • Something you are — e.g, fingerprint or voiceprint (also known as biometrics).

Strong authentication, then, is the end-result of a combination of two or more of the above methods, dramatically improving network security.

For enterprise security, the most popular and effective form of strong authentication has come from hardware tokens. The first generation of these tokens, developed in the 80’s, consisted of small devices that generated a constantly changing password. These traditional tokens are known as one-time password (OTP) tokens.

As the needs of enterprises to support multiple applications and more complex environments has grown, traditional OTP tokens no longer are sufficient for many needs. Many organizations are moving to Public Key Infrastructures (PKI), which provide an advanced framework for both protecting the integrity of the organization’s data, and also offer digital signatures for trusted e-business and e-commerce.

The next generation of hardware tokens includes USB smart cards or tokens, which offer the same security benefits as traditional smart cards, but without requiring readers, as they simply slip into a computer's USB port. These innovative tokens are being adapted by companies around the world, since with one device and one infrastructure they can support their business and security objectives – whether it’s secure remote access for employees; logging securely on to the network; secure access to web portals for partners and customers; ensuring that data on a laptop is safe from prying eyes, and much more.

By implementing strong user authentication solutions, companies enable their customers, partners, and employees to boost their productivity by using business applications wherever they are – in the office, at home, or on the road.

>>Aladdin Archive
 

Yanki Margalit is the founder, chairman and chief executive officer of Aladdin Knowledge Systems, Ltd. In 1984, he designed and developed several products in the areas of artificial intelligence and software security, founding Aladdin to market them.

Mr. Margalit then introduced HASP, a system offering software protection without inconveniencing legitimate users. In 1993, Mr. Margalit took Aladdin public on the NASDAQ stock exchange, and in 1996 he brought about the merger of Aladdin with FAST Software Security in Germany. Aladdin acquired eSafe Technologies in 1998 and Preview Systems in 2001.

Today, Aladdin is a global leader in the software and Internet security market, living up to its mission of "Securing the Global Village." Visit the Aladdin website at www.Aladdin.com to learn about Aladdin products and how you can use them to protect yourself and your organization.