December 9, 2004 4:00 AM PST

Password imperfect

By Robert Lemos
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Hidden gold in corporate cleanup
November 24, 2004; Gates: Passwords passe
November 16, 2004; Digital Agenda: Homeland Security
October 20, 2004; Study: Unpatched PCs compromised in 20 minutes
August 17, 2004; A key to security
October 28, 2003; Passwords: The weakest link
May 22, 2002

For years, Microsoft has hammered away at the security flaws in its desktop operating system. Now the company is looking to plug another security hole: weak passwords.

People tend to choose easy-to-remember passwords--which means they're easy to crack. Even complex passwords can be stolen. They've moved from a security measure to a security risk, says Microsoft Chair Bill Gates, who for the past year has been publicly urging customers to stop relying on passwords.

Last month, the software giant set an example for those customers when it kicked off a big push to adopt a second security measure for its internal networks: smart cards for every employee. By the end of 2005, tens of thousands of telecommuting Microsoft employees will be issued the cards, which will be required to log on to the company's networks.

News.context

What's new:
Microsoft is giving telecommuting employees smart cards to alleviate the security risks of weak passwords on its internal networks.

Bottom line:
It's not the first time Microsoft has got behind smart cards for security. But this time, factors such as compliance and the Sept. 11 attacks mean companies are sold on security.

More stories on this topic

"Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this," Gates told attendees at the IT Forum in Denmark last month. "In time, we will completely replace passwords."

This isn't the first time Microsoft has got behind smart cards as a second line of protection for businesses. But this time, companies have already been sold on security. Organizations have been made more aware of the danger of passwords by a new set of concerns, such as the terrorist acts of Sept. 11 and Enron-inspired regulations that require companies to account for information security.

To help lock down their networks, many companies are moving to centralized servers for handling the authorization of people attempting to access a network--whether employees entering a corporate system or shoppers logging in to an e-commerce site. These identity management systems make network management more simple, but they also put the most valuable network data in a single place--guarded by a password.

A simple system of a log-on name and a password, no matter how complex, cannot guarantee that an unauthorized user will be prevented from getting access to critical systems.

Passwords chosen by an individual are generally very easy for a machine to guess. Common variations are: a word followed by numbers, two words together, or a word with a number replacing a letter. All can be broken within minutes by the latest password-cracking programs.

Doubling down on security

The smart card Microsoft is adopting is not the only option for companies looking to add security to their network login.

Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET News.com

"Any password that we can expect people to remember can be brute-forced," said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security.

Consumers are worried as well. Phishing attacks--scams that use e-mail messages and fake Web sites to fool victims into giving up personal information--will likely cost home users between $150 million and $500 million, according to two estimates.

In addition, surveys of home PCs have found as many as 80 percent infected with spyware--software that surreptitiously reports on a computer user's habits and data.

Both trends highlight a major problem with passwords: Even the best password can be stolen. A digital thief armed with the password would likely appear to be the legitimate system user.

The solution, security experts say, is to use two checks to protect systems--what's known as two-factor authentication. This combines a security device that people need to keep with them--such as a smart card--with a password or secret personal identification number, or PIN, to protect against unauthorized access.

Such security is routinely used by the military and by government agencies.

The U.S. Department of Defense has rolled out a Common Access Card to most personnel, and the Transportation Security Administration has started prototyping its Transportation Workers Identity Card and hopes to have the smart cards issued to 200,000 cargo and transportation workers by June 2005.

In its case, Microsoft hopes to tackle the insecurities posed by more than 60,000 employees and contractors who connect to its network through 175 different remote access points worldwide. That kind of

CONTINUED: ...
Page 1 | 2

See more CNET content tagged:
smart card, security risk, internal network, password, telecommuting

Add a Comment (Log in or register) 7 comments

To complex
by December 9, 2004 5:36 AM PST: I think it costs to much and is to hard to implement a system like this. Having users use complex passwords and change their passwords more often is better. If you use random generated password from Quicky Password Generator or easier to remember ones from software like Password Inspiration then your users will have secure passwords. Plus they won't have to have the expense of the smart card infrastructure.; Reply to this comment

Hype
by December 9, 2004 6:50 AM PST: The vulnerability of passwords is vastly overstated time and again by analysts pointing out how easily a fast machine can guess passwords. That's true - with the speed of contemporary machines, even a brute force crack is quite feasible. But it is also the easiest thing in the world to prevent. Password policies that screen common words and variations on personal data, and then administratively lock out a password after a number of failed attempts make even modestly complex passwords secure against "cracking."

The real weakness of passwords is that people write them down in obvious places, thus subjecting them to visual theft, or share them with family or colleagues, thus compromising the system. Smart cards address this by forcing people to retain posession of a physical token. While arguably more secure in most respects, it raises its own issues, including theft of cards or card contents, and for the forgetful, unintentional lockouts when they don't have their card with them.; Reply to this comment

Password manager is the answer
by December 9, 2004 7:34 AM PST: A simple, low cost solution is the use of password managers which are capable of generating complex passwords when users need to fill up sign up forms. Then they track password usage and fill them in when needed with a built in form filler. Some (see http://www.protecteer.com for one) are even capabale of protecting agains phishing scams.
Password mamagers do ot require any infrastructure changes and are easy to deploy.; Reply to this comment View reply
Processing

Smart Cards are Nice
by David Arbogast December 9, 2004 8:08 AM PST: Our organization is in the process of rolling out more than 100,000 smart cards to employees companywide. I for one, think that they are great. With a single-sign-on solution at the office, the smart card practically eliminates the need for employees to create, change, or remember usernames and passwords. Since we carry ID cards anyhow, and use them to access various buildings, the integration of the "smart" chip was logical and created no additional carry requirements. Security is enhanced, and users have less responsibility. I would encourage others to look into similar solutions.; Reply to this comment

bleh
by December 10, 2004 3:26 PM PST: In the end I doubt these cards will make much headway. It is an expensive proposition that has yet to be proven more secure then using passwords properly.

I am these cards will replace passwords on a wide scale, right after MS secures its products, which clueless bill thinks will happen in the next 2 years. Ha!; Reply to this comment

Won't make too much of a difference
by December 11, 2004 3:54 PM PST: Smart cards may be a step to slightly tighten security, but I
would only recommend them for companies. Here are a few
problems with them:

1. Most exploits in no way involve brute forceing passwords, or
getting them through social engineering. They simply exploit
design flaws in programs running on the box.

2. Phishing will work just as well. Smart cards in no way stop
phishing attacks, just change the information gathered. Instead
of tricking you into typing in your password, phishers would just
have you swipe your card.

3. Passwords are stored in your memory. Smart cards are stored
in your wallet. Which one do YOU think is easier for potential
crackers to obtain? Especially if it is an inside company job - The
insider swipes sysop's card, and owns the network.

hmmm... good thinking Gates.; Reply to this comment

Latest tech news headlines

What you can--and can't--find about Palin on the Internet
Posted in News - Politics and Law by Stephanie Condon

September 4, 2008 10:20 PM PDT
Michael Moore plans Net-only film premiere
Posted in News - Digital Media by Steven Musil

September 4, 2008 9:20 PM PDT
McCain talks up oil drilling, green energy
Posted in News - Politics and Law by Declan McCullagh

September 4, 2008 9:11 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

Nanotech: The Circuits Blog
Timing rumors surface for AMD plant spin-off
Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.
Gallery
Photos: Ron Paul's RNC alternative
As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.
Digital Noise: Music and Tech
Was 1980s music that bad?
NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.
Beyond Binary
Microsoft begins big ad push
Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Digital Media
Michael Moore plans Net-only film premiere
Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.
Video
Political party playlists
We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.
News - Politics and Law
What you can--and can't--find about Palin on the Internet
John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Photos: The brains behind Google Chrome
Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.
Webware
10 things we'd like to see in Chrome
Google's Chrome is pretty good, but it could be a whole lot better. We've rounded up 10 fairly extensive ways to tweak it to make it an all-around better browser.
Green Tech
Clean-tech group forms to support Obama
"Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.