Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Bug Watch: The primitive problem of passwords |
|---|
Categorie: Computer Crime
Posted: 2002-10-14 by Gmtech
Views: 531
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Recent security breaches have highlighted the inadequacy of passwords as a means of securing sensitive information, says Baltimore's Stephen Byrne
Each week vnunet.com asks a different expert from the antivirus world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week, Stephen Byrne of Baltimore Technologies argues that recent security breaches have highlighted the inadequacy of passwords as a means of securing sensitive information.
Whether verbally exchanged with a security guard to gain access to a room, or typed in conjunction with a username to gain access to an IT resource, passwords have served us well for hundreds of years.
However, recent security breaches have shown the inadequacy of passwords as a means of securing sensitive information and may prove to be the final nail in the coffin.
In early August, BT Openworld admitted that its helpdesk had allowed users to bypass security checks and gain passwords for other peoples' accounts.
More recently, at the Fort Hood army base in Texas, one security firm was able to access the networks of other military bases and civilian agencies, including Nasa. Incredibly in this case, where security should be paramount, access was gained because many users were choosing the word 'password' as their password!
As well as damaging the reputation of the organisation, such employee negligence results in a lack of consumer confidence in the internet.
The idea seems simple enough: each person has their own password corresponding to their username (and thus their privileges on the system). But if we apply some security rules it starts to get complicated.
Are users allowed to select their own password? Is the password complex enough not to be guessed, or is it vulnerable to a dictionary attack? Is it changed regularly?
Nowadays, such issues are addressed by the network operating system (OS) and relatively easy for administrators to implement - but there are still some outstanding issues that the OS cannot address.
How do you prevent users from writing their passwords on a piece of paper? What happens when they forget their passwords? How do you ensure that the confidentiality of customer passwords is maintained?
It would seem that passwords are far too reliant on employees behaving responsibly. And we all know how unreliable employees can be.
These issues are tricky enough to manage on a closed enterprise network, but when your user community is an open internet-based group, you've got problems - as illustrated by the examples above.
If organisations insist on using passwords - and for many small, low-security examples they may suffice - they must ensure that security policies are clearly communicated and employees are educated on the implications of negligence.
Apart from the management issues, one could also question the strength of using username/password as a security tool. Unless a password is over eight characters long with a combination of capitals and alphanumerics, it cannot be regarded as strong authentication - not even adequate.
It all boils down to the fact that passwords are a single-factor method of authentication. If you have knowledge of the password, you can impersonate the user.
Two-factor authentication requires possession of something as well as knowledge of something, providing a much stronger form of authentication. There are many varieties of two-factor authentication, including SecureID or Digipass.
However, the best solution to the problem of effective strong authentication lies in the use of Public Key Infrastructure (PKI) technology and digital certificates.
Digital certificates provide a way of positively identifying users and are inherently supported by many applications and platforms in general use today.
Most importantly, the use of digital certificates offers vastly simplified - and therefore more cost-effective - administration processes when dealing with large numbers of users, particularly when these include users other than an organisation's own staff.
Combining digital certificate-based strong authentication with appropriate access control and authorisation technologies ensures that the right people have the right privileges, protecting both the organisation's resources and its reputation.
Digital certificates also provide control for revoking credentials in the event of a user moving or leaving an organisation. Revocation can be carried out by the individual themselves, or centrally by an administrator.
The provision of these credentials can also be integrated into identity management systems for issuance of certificates, whether on smartcard, USB token or mobile phone.
The cost and complexity of implementing and managing PKI and digital certificate infrastructures are continuing to fall.
Such security systems are no longer a luxury restricted to large financial or governmental organisations but are fast becoming realistic options for smaller organisations across all industry sectors.
As well as keeping networks secure, stronger security systems will protect the reputation of organisations and build trust in the internet.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=65
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
