Tag Archives: Password Management

On a first name basis

Here is an all too familiar tale of someone who penetrated a company’s email system because of lax passwords:

The message, he says, included the Web address to Sapphire’s e-mail server and the recruit’s new e-mail address and password. Goldenberg says he logged on as the recruit and quickly figured out the log-ons of three other employees. Like the recruit, they used their first name as part of their e-mail address – and as their password.

Advertisements

Cheap and easy

Mark Dixon has an excellent point in this post on why we still use passwords:

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

I think we face the same thing with passwords.   Intellectually, it is simple to understand why we should get rid of passwords.   However, in practice, widespread adoption will be triggered more by ease of use than perception of safety.  When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier.  If that easier method is also more secure, voila!  We will have achieved our desired result.

While I agree with Mark’s point, there is an important distinction that is not getting made in this discussion, the difference between personal and professional accounts. And this distinction goes right to the heart of Mark’s argument.

For personal accounts (for example your Facebook, Yahoo, LinkedIn, or Twitter account) ease of use is the single biggest driver. People will not, in general, use another authentication technique that isn’t as easy as passwords. Actually it has to be easier than passwords by an order of magnitude or it won’t displace the incumbent technology. It also has to be understandable to the average user so they believe that it really is secure (one could argue this is really just another aspect of ease of use). Try explaining client certificate authentication to your grandmother if you don’t believe me.

Also, the sensitivity of the account really makes little difference. Most users won’t treat their on-line banking account any different than their Facebook account. Bank of America offers a SecureID option for their on-line banking. That should be a no-brainer right? I don’t have any numbers but I would be shocked if they were getting anywhere north of %1 adoption of SecureID by their customers.

For professional accounts (your PC, enterprise resources, or hosted service account) ease of use is not the primary driver, cost is. Cost is understood by most enterprises to mean the monetary cost of your credential plus the measurable cost to support you using it. I used the word “measurable” for a reason. Most companies don’t care how hard it is for you to understand and use a specific authentication mechanism if you are a salaried employee. That cost is hidden to them. On the other hand the cost to the company for you to call the help desk if you have an authentication problem is measurable and tracked along with the cost to issue new credentials when needed.

For both personal and professional accounts, passwords rule the roost because they are easy to use, cheap to deploy, cheap to support, and easy to understand.

But if an authentication mechanism becomes popular that is cheap to deploy and support, it may have a chance to displace passwords for professional accounts.

Two important Passlogix announcements

Passlogix made two important announcements today.

[Full Disclosure: BMC is a Passlogix partner.]

First they are jumping into the privileged account management business, but with a huge advantage. Passlogix can leverage their ESSO technology to present shared credentials to applications without displaying them to the user. Or at least the user can’t easily see the passwords. The is a better approach than competing products which cough up the password in clear text that the end user would then copy down for use. 

Many IT departments view shared accounts as a necessary evil. No one likes it, but the alternatives are viewed as too painful. But with a product like this combined with a good password management product (like BMC Password Manager) to set passwords on non-AD systems, shared accounts can be managed in a more controlled fashion.

Second, Passlogix is easing the pain of needing desktop software for ESSO.

(Mirrored from TalkBMC)