Passwords exposed: Users are the weakest link

Illena Armstrong discovers that the use of traditional passwords could be giving many organizations a false sense of security.

Walk around any office after closing time and a common feature will likely surface: the long lists of passwords that computer users must remember for daily tasks are handily tucked away under their keyboards for ready retrieval. It is a convenience for workers, but defeats the presumed security that passwords are supposed to offer companies to safeguard their digital assets.

This is one example of how company bosses have lulled themselves into a false sense of security by relying on the traditional user name and password paradigm, according to many experts. Technically-savvy individuals now have an impossible number of passwords to recall for access to professional and personal applications, so they either opt to keep written records or choose common words that are easily crackable. Security is also diminished when companies depend on their employees to protect data by changing their individual passwords regularly. According to a survey by on behalf of Rainbow Technologies, a whopping 89 percent of the 300 participants change their passwords just once a year.

Most organizations that have used the ID/password scheme for years will probably stick with it for a long time to come. Even now, experts estimate that between 80 and 95 percent of those playing in the corporate world still enlist passwords to protect their IT systems. Despite horror stories about breaches due to weak passwords, companies still cling to them, says David Lynch, vice president of product marketing for Rainbow Technologies.

"There's a high belief that passwords are secure. Until the emergence of the internet, passwords were protected by their environment," he says, but connecting the private corporate network to the very public internet makes corporate systems completely vulnerable. The main problem is that organizations fail to understand just how exposed they are, he adds.

Protecting your identities

The trick is convincing companies to develop a plan that creates a strong architecture to manage end-user identities, while also encouraging them to add other forms of two- or even three-factor authentication.

"The strength of passwords is flawed because people are involved. The human element is the weakest link to the password equation," says Andreas Faruke, head of Identity Management Services at Deloitte & Touche in Canada. As a result, anywhere between 25 and 50 percent of helpdesk calls relate to password resets. These calls cost as much as $30 per end-user, with the helpdesk receiving at least five calls per end-user every year. And, these costs fail to account for the downtime that occurs when users are locked out of systems for any length of time.

Saving money and reducing helpdesk calls is motivating companies to look at password management/synchronization tools, as well as identity management solutions that integrate password management features, says Faruke. "From our perspective, creating a strong, enterprise-wide security framework is the best way to go," he adds.

While password management solutions alone are good intermediate solutions, more comprehensive identity management systems put an over-arching corporate policy of control and security into practice, he explains, by establishing access rights and privileges for employees and replacing multiple passwords. This is achieved by consolidating user identities and their roles into a centralized repository that is integrated with existing and new applications and other business services.

Authorization, authentication, provisioning and de-provisioning are all controlled by IT through this centralized method, thereby providing the company with strong security. Many of the identity management solutions now on the market, he adds, have overcome interoperability and scalability issues. In addition, these often provide password self-management features that actually enforce password resets, and are flexible enough to operate with smartcards, tokens or biometrics for some or all access rights if a company desires, he says.

Putting it into practice

Flexibility with identity management solutions, the need to overcome vulnerabilities, and end-user convenience are reasons why Steve Devoti, ITS directory services manager for CUNA Mutual Group headquartered in Madison, WI, opted for identity management tactics.

"Security is all about managing risk, so you have to identify what you're trying to protect and then make appropriate decisions on whether ID/password is sufficient, or if other means are necessary," says Devoti. "We still rely on ID and passwords, but we [are moving] away from [them for] critical systems and will continue to migrate from passwords over time."

As a financial services provider to credit unions, CUNA Mutual partners with some 95 percent of the 10,000 credit unions in the U.S. The company has a total of 5,000 employees, with 2,000 of them located in the home office. There are well over 100 systems the company relies on that have their own security built in. Devoti has turned to Oblix, an enterprise identity management solutions provider, to help establish a web single sign-on architecture for partners and customers, although some of the 5,000 internal users may also benefit from the product when they access certain associated web applications.

External and internal users using CUNA's web applications only have one ID and password to access various applications through the Oblix Net-Point product. The identity management tool centralizes and administers their profiles through a central repository, whose main task is to store their accounts, as well as the IDs/passwords of internal users, Devoti notes.

Oblix provides only part of the solution for internal use, where a series of homegrown processes and workflow mechanisms are employed to provision users to the approximately 100 secured applications utilized inside the company walls, explains Devoti.

Through the deployment of a LDAP-compliant enterprise directory, CUNA Mutual has progressed in both controlling the need for new IDs and passwords, and actually reducing the number of IDs and passwords users must remember. The ultimate goal, says Devoti, is to reduce the number of credentials to just one. This is being achieved by establishing interfaces that create easy-to-use applications for end-users, and arming administrators with the tools to easily maintain and oversee the security information stored in the directory. The NetPoint tool enlists this same database to manage the other partner and customer accounts as well.

The decision to employ the identity management solution for web-facing applications and a workflow system based on the same central repository for internal accounts was driven more by employee convenience than just security, Devoti notes. Such a centralized system also offers flexibility. So, while many of the employees still rely on ID/password for access to systems, there are those users working externally who use two-factor authentication from RSA Security, in conjunction with the identity management scheme, to gain access.

While there are no specific projects currently planned, Devoti predicts a time when additional authentication solutions will be used as the company continues to move away from user name/password.

Other companies are trying their hands at identity management solutions, password reset/management tools, and/or tokens, smartcards or biometrics. For instance, Courion Corporation has a number of customers coupling its PasswordCourier product with tokens or smartcards. Tom Rose, vice president of marketing, says that Hewitt Associates, a management consulting and outsourcing firm, recently came back to the vendor for Courion's RSA SecurID connector. They have been using RSA's two-factor authentication product to safeguard "especially sensitive systems." By coupling that with Courion's self-service password reset and synchronization offering, Hewitt hopes to avoid the many helpdesk calls that result from employees and contractors forgetting their SecurID PIN or passphrase.

"This is a good example of how two-factor authentication and enterprise password management can be used together to harden authentication and management procedures, while at the same time reducing costs ... and boosting employee productivity," says Rose. "Identity management ideally solves three business problems: security, productivity and cost savings, with cost savings being the biggest driver in today's economic climate."

Malcolm MacTaggert, president and CEO of smartcard provider CRYPTOCard Corporation, says that even out of his company's 3,500 customers worldwide, up to 60 percent still depend on user IDs and passwords for access. Some 95 percent of the corporate world still turns to passwords for aspects of their security.

He warns that if any of them are considering migrating to identity management and/or password management to strengthen this intrinsically weak form of security, they have to think about how much better off their systems will become. Just how safe is their information if their end-users' 20 individual passwords are synchronized into just one to gain access to the same number of critical systems? From a security perspective, this option may end up being too convenient for end-users and hackers to get authorized access to a number of proprietary applications.

CUNA Mutual's Devoti argues that one username and password for end-users may not be ideal. Each application has its own security. It is complicated to keep track of all IDs and passwords, yet if a malicious person gets hold of the one password associated with all of those systems they will have access to more information. This is why companies will always require strict policies and mechanisms to enforce them, he adds. Bearing in mind that his company has web applications, mainframes, Unix systems, CRM, reporting applications and other internal services, Devoti adds that CUNA Mutual's move from passwords to identity management solutions - despite the acknowledged benefits and possible drawbacks - will take time. Even when the company integrates the use of more tokens and smartcards, passwords will still be part of the mix.

Making the best of passwords

Most experts believe that passwords will linger for the foreseeable future. Even with identity and password management tools, smartcards and biometric solutions, companies must practice and enforce sound password policies.

"It may be tempting to create passwords so they are easier to remember, but you are playing right into the hacker's hands. The challenge in creating a hacker-proof password is to make the password difficult to guess without making it impossible to remember," says Vincent Weafer, senior director of Symantec Security Response.

He suggests using different passwords for different accounts, and forming these by combining upper and lower case letters, punctuation and numbers. They should be about six characters long and should be changed regularly, but they should also be easy to remember so they don't have to be written down.

Such precautions are exactly what many end-users try to avoid, and why many of the other solutions discussed have been created. But, if companies are still going to live with passwords they should also manage them from the top down, adds Deloitte & Touche's Faruke. In this way, the parameters cited by Weafer, and other security experts, are applied consistently. For instance, if an end-user fails to change a password after a prescribed amount of time, or ends up using the same password too many times, mechanisms should be put into place to lock that user out of systems until the password is corrected.

The key, says Faruke, is to educate and train users on the policies, and then enforce those policies through tools. In addition, there has to be a way to audit and monitor the users and their password usage. To really handle the inherent flaws in user names and passwords, Faruke advocates an enterprise-wide identity management solution, where other forms of authenticated access to systems can be integrated.

Forging ahead

In the end, overcoming the exposures that username and password systems or other practices bring to corporations involves developing an overall architecture that enables companies to increase security, reduces the cost of ownership, scales as the business expands and meets corporate control requirements, adds Joe Duffy, global leader for PricewaterhouseCoopers Security and Privacy practice. End-point solutions fail to get at the heart of the many security issues, he adds. Individual applications with their individually built-in security controls only heighten user name/password problems.

If companies begin to call security into all their applications, rather than rely on the individual security mechanisms within them, they can start to establish policies and standards based on an over-arching identity management architecture that reduces complexity and volume.

By sharing security controls across the enterprise, companies can establish policy rules and share the same security controls among the applications. At the same time, high-risk applications can demand tokens and smartcards, while others can still rely on user names and passwords. To start on this road, Duffy advises organizations to construct a business-oriented framework first, not a technical one. After establishing an enterprise security business plan, the company can decide how much security is necessary and when to employ it. Standards to engineer new and, if possible old, applications can be set, and operational aspects accounted for. A capability that allows a company to respond to the unexpected in an organized way can follow.

On top of this framework, the organization can firm up exclusionary and inclusionary views of the business, the former being a threat and vulnerability management plan and the latter being the identity management structure for users allowed access to systems. "You've got to have both, but answering the question of where the greatest business value is will ultimately drive your priorities and technical decisions," Duffy says. "I think most people struggle with a volume issue. They need to think in an organized fashion."

Illena Armstrong is U.S. and global features editor for SC Magazine.
It is no wonder, says Gary Clark, that people try to duplicate passwords. These days, everyone has so many passwords and PIN numbers to remember: login to computers at work, bank card PINs, logins to different web sites, even PIN numbers to access mobile phones and PDAs.
People might have one username and password for all personal web sites they visit, another for any work systems they access, and possibly one PIN number for all different ATM cards. The fact that these are duplicated means that once one password is breached, it is easy for someone to access other personal systems or accounts.

If users do realize the need to have different passwords for different accounts, then they end up having a lot to remember. It is fairly common, therefore, for people to write passwords down on Post-it notes under their keyboard, or somewhere else close to their computer. If they do this, there is little point them using a password as a security device at all.

There have been recent, well-publicized surveys, where people were quite happy to tell their passwords to anyone, even someone at a train station. Users need to be educated about keeping their passwords private.

When users forget their passwords the cost over a year can be fairly high, in terms of reissuing passwords and the cost of lost working time. This is especially true when organizations decree that passwords are changed on a regular basis.

Most passwords that users choose themselves are too easy, either the traditional 'password' or just the users' dog's/mother's/partner's name or telephone number. Users must be aware of the guidelines surrounding passwords, including using a combination of letters and numbers, upper and lower case letters, and not using words that can be found in the dictionary. Even so, this will still only delay a determined hacker - it will not prevent an attack.

Users object to 'strong password' policies, where the PIN must be greater than eight characters, include difficult characters like "@!%, and are compulsorily changed every 30 days or less. Such policies make security not only resource intensive for the administrators, but also encourage users to write down their passwords for fear of forgetting them.

Gary Clark is vice president of sales and marketing EMEA at Rainbow Technologies (
Take the Q&A challenge

Elton Hay contends that challenge questions may actually prove a very insecure way to reset your password

The helpdesk cost of resetting user passwords is significant enough to develop automated means of enabling users to reset their own password. One of the more popular methods is to allow the user to create a challenge question and answer as part of establishing their account.

When users have forgotten their password and need to gain access to their accounts, they go through a password reset process. This presents the user with their challenge question. If they supply the correct answer they get to reset their password and login. This password reset process is widely used, appears to work, and helps cut helpdesk support costs.

But there are security issues with this process that are not addressed in most implementations. The relative security of the challenge Q&A access path to an account as compared to the security strength of the ID/password access path is just one specific issue often overlooked.

There are other issues, such as user supplied versus canned questions, multiple questions, and how the challenge Q&A data is stored.

The keys to the door

The user ID/password is one set of keys to an account. It is like the front door, and has appropriate strong locks and the look and feel of being secure. The ID plus the challenge Q&A process is another set of keys to an account.

The challenge method is like the back door, and currently on most systems it is nowhere near as strong as the lock on the front door. What needs to be done is to make sure that the security strength of the challenge Q&A is at least as strong as that of the ID/password.

For example, the answer to most challenge questions is a single word . And, it is a word that is often shorter than the minimum required length of the corresponding password. In addition, that word is usually stored in lower case with leading and trailing spaces removed.

Hackers use dictionary attacks of several hundred thousand words to try and crack a password. The dictionary needed to crack a challenge question is significantly smaller as the answer is almost always a short, real word with no special characters.

If a hacker has access to the challenge question, then the attack dictionary can be significantly reduced - in many cases, to under 100 entries and often under 10. This means the challenge Q&A is much less secure than the password.

The real issue is how to make the security strength of the challenge Q&A comparable to the strength of the ID/password path. There is no easy solution. Edits can be applied, as with passwords, so that values such as account ID, account name, email address, etc. are not permitted as valid answers.

Educating users

User education is also needed, just as with passwords, so they have some idea of how to create a strong answer. The problem, just as with a password, is not to create an answer that is so strong that it is forgotten. Answers that are phrases are much stronger than a single word.

Over time, some programmatic means will likely be developed to check the Q&A for relative strength, and prompt the user when there is a disparity. There is a lot of literature on the computational strength of passwords, but there is no significant body of lore on how to compute the strength of a challenge Q&A. In the meantime, programmatic checks can be made for the obvious insecure answers, scrutinizing factors such as minimum length, simplistic answers, etc.

Another part of password security is the requirement to change a password every so often, and not use a password that you have previously used. Attempts to supply a password that is incorrect usually result in an account lockout for a period of time.

Similar rules could apply to the challenge Q&A. They may have to be changed every so often, you will not be able to use questions or answers that have been previously used, and failed attempts to guess the answer will result in an account lockout, probably for a longer period of time than the password lockout.

Access denied

The password reset option on most web site accounts presents another access path to an application. Entering an account through the challenge Q&A leaves a trail as the password gets changed, locking out the original owner.

Sometimes an email gets sent to the account owner alerting them that the password reset path has been accessed. Some systems also send alerts to system administrators.

The person entering the account then has the option of changing not only the password, but the challenge Q&A, and maybe even the email address associated with the account. In this case, the identity associated with the account has been usurped.

In many cases, access to an account for a hacker is far easier through the challenge Q&A approach, as opposed to trying to guess the user password.

With this worrying fact in mind, administrators need to ensure that the strength of security for the challenge question and answer path to an account is strengthened to, at the very least, match that of the security strength of the ID/password.

Elton Hay, CISSP, is a security consultant working within the infosecurity industry.
Why waste the helpdesk's time when you can help yourself?

If one had to ask what is the main business driver in today's economy, says Gavin Massie, return on investment (ROI) would have to be in the top three items on any corporation's agenda.

But it seems all too apparent that while ROI is a critical concern, when it is put into the context of an organization's own internal efficiency it doesn't seem to have the same priority. Why?

If one looks at employee roles, the work undertaken cannot categorically be said to provide ROI, especially if one looks at the role of the IT department. As a highly skilled team, the IT department should be entrusted with maintaining the integrity of the enterprise's IT infrastructure.

More often than not, this department is asked to carry out routine tasks that, while critical to the overall workings of the company, could easily be accomplished by less skilled staff.

One such task is user password management. User access management is the organization's frontline of defense when securing the IT infrastructure. But with an ever-increasing number of critical applications requiring password access, users are being swamped with an onerous number of passwords to remember.

In real life, people will forget these, and when this happens the password must be securely reset in a timely fashion. For this, the precious IT department, via the helpdesk, is the first port of call - but this isn't necessary.

Would it amaze you to know that the Gartner Group reports 30 percent of all calls to the helpdesk are for password resets, and estimate each reset at a cost of $20? The Forrester Group calculate a higher figure of $38, with 25 percent of all helpdesk calls being password related. IBM calculate the figure at $21 per reset.


Why waste the IT department's time and expertise on what is a simple reset task? The IT team cannot simply drop everything to reset a forgotten password. One needs a cost-effective solution, and this is why organizations should take advantage of the 'self-help' password reset management software on the market today.

These solutions enable all workers to take responsibility and carry out simple password maintenance tasks themselves. This dramatically reduces loss of productivity, as workers no longer have to wait for an IT technician. Using a simple yet secure interface, each user can personally reset any forgotten password by answering a predefined number of user-specific security questions.

Not only does such a 'DIY' interface reduce lost productivity and the overall cost of each reset function, but each worker now has the means to solve his or her own problems. If one looks at this in terms of ROI, the use of self-help software is significant, as workers can rectify their own individual password dilemma (during the time in which they would have previously lost productivity) and permit the IT department to carry on with their work.

Gavin Massie is senior security specialist at SafeStone Technologies (


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.