TechWeb

The Password Is: Liability

Feb 25, 2004 (09:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=18200511


Passwords are the weakest link in enterprise IT. That's the message in a new report citing the security risks faced by business travelers, as well as from RSA Security Inc. and Microsoft as they unveiled RSA SecurID tokens to simplify and secure Windows logins.

In a report for network-security company Secure Computing Corp., security consultant Rodney Thayer found that business travelers run a risk of compromising their company networks when they use public Internet access points.

"There really is a risk. There are a lot of opportunities for people to gain your password," Thayer says in the report, "Remote Insecurity: How Business Travelers Risk Exposing Their Companies When Remotely Accessing Company Networks."

At an airport Internet kiosk, for example, he suggests that an attacker could install a keyboard sniffer to capture all keystrokes entered in a hidden file. Such programs are freely available over the Internet and can be easily downloaded and installed.

Thayer also tested the security at a coffee shop with commercial wireless Internet access. He says that by using available software, an attacker could capture password data, use a keyboard sniffer to capture keystrokes, or simply "shoulder surf"--watch as a user enters his or her password.

While Thayer cannot attribute specific security breaches to such tactics, he says he's aware of numerous incidents that can't be explained by anything but stolen passwords. "This isn't a risk that can be ignored," he says.

With password resets comprising 40% of help-desk calls, according to RSA, a move toward something more secure and less costly for companies starts making sense. Users frustrated with monthly password changes probably won't object.

The RSA SecureID tokens add an extra step for security: Instead of typing in only a password, users of the tokens also must enter a random number that appears on their so-called SecureID, a key-chain fob or plastic card they carry with them. The number changes every minute, generated by an algorithm that also resides on a server inside a company's computing center.

The tokens, which stem from an Microsoft-RSA agreement disclosed Tuesday at RSA's annual security conference in San Francisco, would protect Windows-based computers with the token scheme, whether they're portable or attached to a company network.

"Despite highly publicized corporate security breaches caused by individuals who have circumvented password systems," RSA Security president and CEO Art Coviello said in a statement, "many companies still rely on them for user access to desktops and the network domain."