Answers to the trouble with passwords

One of the biggest problems with passwords is that secure ones seem hard to remember, need to be changed often, and should be phrases with numbers and symbols instead of just single words that can be found in a dictionary. Many organizations have a culture where the IT department has been instructed to allow users to keep insecure passwords. Rather than fight this battle, consider using two factor authentication: something the user has plus something they know. For example, www.phonefactor.net uses

an out-of-band signaling strategy for users when they log in. The user enters a username and password (something they know), and then your system calls their phone (something they have) to have them enter a pin. That way, for someone to impersonate a user, they would have to know the user’s username and password, and also have the user’s mobile phone. This is a very economical way to increase password strength – especially if your organization’s culture dictates using simple passwords.

Other options include having the users carry secure USB tokens that plug into their computer much the way a user would start their car with a car key. Examples include www.aladdin.com/etoken and www.everythingusb.com/guard_id_vault.html.

Additionally you could choose to use a RSA SecurID www.rsasecurity.com device, a biometric fingerprint reader, or SmartCard two factor authentication device.

Another interesting product is the iTag from www.encentuate.com that lets you stick a tag on whatever your users carry with them now. An id badge, their mobile phone, etc. This product provides single sign-on features many organizations crave. For example, single sign-on allows users to log into more than one operating system in just one step.


1 Comment

  • Evan May 2, 2008 at 2:35 pm - Reply

    Thanks for the mention. I just wanted to point out that there is a serious working version of PhoneFactor two-factor authentication available completely for free. It can be downloaded at http://www.phonefactor.com. We even make the phone calls so that there are no telecom charges for most locations. Thanks again and feel free to send any questions our way.

    Evan Conway
    Positive Networks – PhoneFactor

Leave a Reply

Your email address will not be published. Required fields are marked *