Want CNET to notify you of price drops and the latest stories?

Companies urged to move beyond passwords

Emerging threats mean that passwords are no longer an adequate means of authentication, Gartner analysts warn.

3 min read
Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned.

Speaking at the Gartner IT Security Summit in London on Wednesday, Ant Allan said that "passwords are no longer adequate, as threats against them increase."

Those emerging threats are intimately linked to emerging technology such as Wi-Fi and Web services. As the usage of these services grows, more cybercriminals will attempt to exploit them. There is a business value in adopting new technology, but security needs to keep up, according to Gartner.

The increasing sophistication of attacks and the professionalism of cybercriminal gangs have led companies to make passwords longer, or to change them more frequently. "This is a bad idea," said Jay Heiser, a Gartner research vice president. "Users respond by forgetting passwords, or writing them down, which can compromise security in a different way."

The future of authentication is "something stronger," Allan said. "RSA security tokens, smart cards and biometrics are becoming increasingly popular. The problem with those methods is that they are expensive to implement," he said.

Some security experts have been urging companies to use two-factor authentication--where users present a second form of identification as well as their password--for some time, though not all agree it is the way forward. Security guru Bruce Schneier summed up many of the arguments against two-factor authentication in an interview earlier this year, saying: "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

"We are finding that European companies are more accepting of the higher cost of these solutions, while the U.S. back away because they don't want to burden users (with complex procedures)," Allan said.

Less-expensive solutions include mobile phone tokens for one-time password authentication, or ID cards.

Colin Thompson, vice president of enterprise sales at security company Aladdin, agreed that companies will need to start tying in some kind of physical ID with digital ID.

"To access your bank account, you need a bank card and PIN," he said. "If you lose that card, you know your security has been compromised. We need some kind of smart card or certification, because individual users in companies are still at risk.

"Two-factor authentication is the way forward. Once you're into a system, we need greater simplicity, though. No more different username and password for different sites."

The risk of passwords being compromised is becoming greater and greater because it's becoming easier to download tools that will crack them, said John Girard, another Gartner analyst.

"The 'Magical Jellybean' tool is downloadable, and will find your license key if you've lost it," he told the audience at the security summit, referring to a utility that is freely available over the Web.

"'Free Word and Excel password recovery wizard' enables you to crack passwords by brute force. It's good for shorter passwords. Longer passwords take about 16 hours, but if you really want to get in, you can," Girard warned.

The problem with most passwords is that there is nothing in the system to stop you looking again and again, so they are susceptible to brute force, Girard said.

Tom Espiner of ZDNet UK reported from London.