Passwords Are a Failure, Says Research Group

Passwords, the dominant form of securing enterprise assets, are a failure, a research firm said Thursday.

According to the Meta Group, passwords aren't cutting the mustard because of both organizational and user failings, as well as a lack of cost-effective alternatives.

"Enterprises are pretty frustrated with passwords," said Earl Perkins, vice president with the firm's security and risk strategies group. "They're asking, 'After three or four decades, isn't there something else besides passwords?'"

On the organizational level, Perkins said that passwords' failings range from enterprises wasting time creating convoluted policies to spending too little time protecting crucial applications. On the end-user front, meanwhile, passwords are ineffective when people have too many to maintain.

But the issue with password protection isn't just numbers, said Perkins. "From a cultural standpoint, many individuals don't believe the value of the password reflects the value of the assets it protects. Time and again, the password is not afforded deserved protection. This renders passwords ineffective regardless of synchronization, best practices, or management efforts."

The solution that enterprises are looking for is a low-cost way to add strong authentication to identity management. "The trend is toward the idea of some sort of supplement or alternative to passwords," he said.

Among the possible additions or alternatives to passwords are such concepts as tokens, smart cards, and PKI-style services. "But it's going to take someone willing to drive down the price of, say, tokens to create a low-cost solution," he added.

There are hints that that might happen as early as the end of 2004 or the beginning of 2005, Perkins said, if only because rivals of RSA, the dominant player in the identity management market with its SecureID, want to break its grip. "If a competitor can shake that tree, things will loosen up. It may start some kind of momentum."

One of Meta Group's clients, for instance, wanted to deploy a token-based authentication to its entire 60,000+ employee workforce, but the price tag was simply too high. It's going to take an authentication provider "brave enough to start a price war" to break the logjam.

Currently, strong authentication schemes that use tokens -- often USB-based devices that plug into the PC -- cost too much, around $40 to $50 per user per year over a five-year period. "That's just too much for basic authentication," said Perkins, for enterprises to roll out across the board. Instead, they tend to apply the higher-cost, but more secure, authentication to higher-value assets, such as servers, and leave passwords, as ineffective as they are, to defend other assets, like desktops.

Enterprises are begging for something better than passwords, said Perkins. Until they get it, they'll keep throwing solutions -- often ones that don't really solve the problem, like single sign-on -- at the problem.

"Passwords are just not cutting it," he said, "but until there's a low-cost alternative this is all we've got."