Password imperfect

Microsoft is leading by example in its push to ease the security risks posed by passwords.

For years, Microsoft has hammered away at the security flaws in its desktop operating system. Now the company is looking to plug another security hole: weak passwords.

People tend to choose easy-to-remember passwords--which means they're easy to crack. Even complex passwords can be stolen. They've moved from a security measure to a security risk, says Microsoft Chair Bill Gates, who for the past year has been publicly urging customers to stop relying on passwords.

Last month, the software giant set an example for those customers when it kicked off a big push to adopt a second security measure for its internal networks: smart cards for every employee. By the end of 2005, tens of thousands of telecommuting Microsoft employees will be issued the cards, which will be required to log on to the company's networks.

News.context

What's new:
Microsoft is giving telecommuting employees smart cards to alleviate the security risks of weak passwords on its internal networks.

Bottom line:
It's not the first time Microsoft has got behind smart cards for security. But this time, factors such as compliance and the Sept. 11 attacks mean companies are sold on security.

More stories on this topic

"Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this," Gates told attendees at the IT Forum in Denmark last month. "In time, we will completely replace passwords."

This isn't the first time Microsoft has got behind smart cards as a second line of protection for businesses. But this time, companies have already been sold on security. Organizations have been made more aware of the danger of passwords by a new set of concerns, such as the terrorist acts of Sept. 11 and Enron-inspired regulations that require companies to account for information security.

To help lock down their networks, many companies are moving to centralized servers for handling the authorization of people attempting to access a network--whether employees entering a corporate system or shoppers logging in to an e-commerce site. These identity management systems make network management more simple, but they also put the most valuable network data in a single place--guarded by a password.

A simple system of a log-on name and a password, no matter how complex, cannot guarantee that an unauthorized user will be prevented from getting access to critical systems.

Passwords chosen by an individual are generally very easy for a machine to guess. Common variations are: a word followed by numbers, two words together, or a word with a number replacing a letter. All can be broken within minutes by the latest password-cracking programs.

Doubling down on security

The smart card Microsoft is adopting is not the only option for companies looking to add security to their network login.

Smart card
What: A plastic card, similar to a credit card, that contains a chip. The chip holds information and restricts access to only those with the proper personal identification number.

Pro: Can be used for access to both buildings and networks.

Con: Cards could be forgotten or stolen; readers and cards cost money.

USB token
What: A key fob with a USB attachment that carries security information using memory technology similar to that found in a smart card.

Pro: Low-cost, because modern computers all come with a USB port.

Con: Tokens could be forgotten or stolen; not all USB ports are easy to access; only good for computer and network access.

Password generator
What: A matchbox-size device that generates a sequence of numbers acting as a one-time password.

Pro: No connection to PC needed.

Con: Device could be forgotten or stolen; requires user to input the mathematically generated sequence; only good for computer and network access.

Biometric reader
What: Technology based on a human trait that can be used to identify a person, most often a fingerprint.

Pro: Biometrics cannot be forgotten or stolen; can be used for building and network access.

Con: Expensive to deploy; recognition problems can occur.

Source: CNET News.com

"Any password that we can expect people to remember can be brute-forced," said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security.

Consumers are worried as well. Phishing attacks--scams that use e-mail messages and fake Web sites to fool victims into giving up personal information--will likely cost home users between $150 million and $500 million, according to two estimates.

In addition, surveys of home PCs have found as many as 80 percent infected with spyware--software that surreptitiously reports on a computer user's habits and data.

Both trends highlight a major problem with passwords: Even the best password can be stolen. A digital thief armed with the password would likely appear to be the legitimate system user.

The solution, security experts say, is to use two checks to protect systems--what's known as two-factor authentication. This combines a security device that people need to keep with them--such as a smart card--with a password or secret personal identification number, or PIN, to protect against unauthorized access.

Such security is routinely used by the military and by government agencies.

The U.S. Department of Defense has rolled out a Common Access Card to most personnel, and the Transportation Security Administration has started prototyping its Transportation Workers Identity Card and hopes to have the smart cards issued to 200,000 cargo and transportation workers by June 2005.

In its case, Microsoft hopes to tackle the insecurities posed by more than 60,000 employees and contractors who connect to its network through 175 different remote access points worldwide. That kind of

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The new Moto 360 looks more like a watch than a smartwatch

CNET's Dan Graziano gives you a first look at the brand new Moto 360.

by Dan Graziano