Doing Your Part to Kill Passwords

No, you didn't pick up a magazine from the IT department by mistake. Physical security has an opportunity to help solve the problems caused by using passwords to log into computers. Not your job? Well, in this new converged world, I beg to differ.

For years, we have been talking about one-card solutions, the use of a single card to not only control access to buildings but also to log onto computers. It is one of the first examples of convergence that most people talk about. In fact, the federal government's FIPS-201 program is the world's largest convergence project and focuses on the benefits of such a one-card solution. “In the IT industry, there has been a growing awareness that security is really around people; knowing who that user is, what he is allowed to do, verifying his identity, granting access to physical or logical assets, and then auditing that access,” says David Ting, CTO of Imprivata Inc., a provider of logon solutions. In the commercial sector, however, passwords are still king – with most companies relying on them exclusively for computer access. To understand why, let's take a deeper dive into the problem itself, and why the solution could impact the access control cards you have today.

The problem with passwords

Passwords are a simple means of authenticating computer users, but they have two evil sides. First, they are not very secure. The average person today has several user name/password combinations to remember; many people have dozens. In that environment, most reasonable people either write the passwords down, use simple, easy-to-remember passwords, use the same password for all systems, or all three. None of this is good news from a security point of view. In fact, in many offices, password security is not taken seriously at all. A study by Infosecurity Europe in 2004 reveals that 40 percent of surveyed office workers knew the log-in passwords of a colleague. Because of the ever-increasing tendency to use laptops offsite over unsecured links such as in hotels, the increasing availability of “keystroke loggers” to capture passwords without your knowledge, as well as allowing partner companies to log in to your business systems, passwords are just not enough anymore.

Second, if passwords are bad for security, they are even worse in terms of cost. Passwords are generally thought of as “free,” since there is no initial cost. In fact, the cost is in the ongoing maintenance. Market research firm Gartner estimates that on average, a computer user forgets a password and needs to reset it almost four times a year. That translates into 30 percent of all help desk calls. Now consider the wasted time of both the help desk operator and the computer user, and we start to see some real costs. “Password administration costs between $200 and $300 per user per year” says Debra Spitler, HID Global's executive vice president of HID Connect.

If Passwords Are So Bad, Why Do We Still Use Them?