No, you didn't pick up a magazine from the IT department by mistake. Physical security has an opportunity to help solve the problems caused by using passwords to log into computers. Not your job? Well, in this new converged world, I beg to differ.
For years, we have been talking about one-card solutions, the use of a single card to not only control access to buildings but also to log onto computers. It is one of the first examples of convergence that most people talk about. In fact, the federal government's FIPS-201 program is the world's largest convergence project and focuses on the benefits of such a one-card solution. “In the IT industry, there has been a growing awareness that security is really around people; knowing who that user is, what he is allowed to do, verifying his identity, granting access to physical or logical assets, and then auditing that access,” says David Ting, CTO of Imprivata Inc., a provider of logon solutions. In the commercial sector, however, passwords are still king – with most companies relying on them exclusively for computer access. To understand why, let's take a deeper dive into the problem itself, and why the solution could impact the access control cards you have today.
The problem with passwords
Passwords are a simple means of authenticating computer users, but they have two evil sides. First, they are not very secure. The average person today has several user name/password combinations to remember; many people have dozens. In that environment, most reasonable people either write the passwords down, use simple, easy-to-remember passwords, use the same password for all systems, or all three. None of this is good news from a security point of view. In fact, in many offices, password security is not taken seriously at all. A study by Infosecurity Europe in 2004 reveals that 40 percent of surveyed office workers knew the log-in passwords of a colleague. Because of the ever-increasing tendency to use laptops offsite over unsecured links such as in hotels, the increasing availability of “keystroke loggers” to capture passwords without your knowledge, as well as allowing partner companies to log in to your business systems, passwords are just not enough anymore.
Second, if passwords are bad for security, they are even worse in terms of cost. Passwords are generally thought of as “free,” since there is no initial cost. In fact, the cost is in the ongoing maintenance. Market research firm Gartner estimates that on average, a computer user forgets a password and needs to reset it almost four times a year. That translates into 30 percent of all help desk calls. Now consider the wasted time of both the help desk operator and the computer user, and we start to see some real costs. “Password administration costs between $200 and $300 per user per year” says Debra Spitler, HID Global's executive vice president of HID Connect.
If Passwords Are So Bad, Why Do We Still Use Them?
To answer that, let's break the problem down a bit and look at the alternatives. Part of the reason the password problem has gotten worse is the issue of multiple systems, each having its own password requirement. That can be fixed using a technology called single sign-on (SSO), which enables a user to sign on once at the beginning of a “session,” rather than repeatedly for each application. The technology used to be difficult for IT to implement and required significant changes to older applications. It now, however, is available in much easier-to-implement forms. While having to remember multiple passwords is a key piece of the problem, you are still left having to remember one. Therein lies a new problem: the so called “keys to the kingdom” issue. Once a bad guy knows that one password, he can go anywhere in the system that the password owner was allowed to go. That leads you to want to toughen the requirements for passwords by requiring them to be longer, to use letters and numbers, and to change them more often. Bottom line, just implementing SSO still leaves you with one password, and often one which is easier to forget. “There is a trend toward giving the user single sign-on to eliminate all of the extra passwords, but trading that requirement for a second factor, such as a logon badge,” Ting says.