Solving the Password Problem

Published: April 10, 2006


By Amesh Mansukhani
Senior Product Manager, Identity & Access

See other Viewpoint articles.

A significant number of IT departments tasked with managing security still rely on passwords for authentication as the first line of defense. The problem with that approach is that passwords can easily be discovered by any amateur hacker using a commonly known method called a dictionary attack. In a dictionary attack, an attacker systematically tests all possible passwords for a particular user account. You can start by using common words and then changing each character until you finally get a match. There are many applications available on the Internet that can assist attackers, and it is only a matter of time to figure out the right combination. With the right system, you can crack a simple password like “Helloworld” in a matter of minutes or a complex password such as “R3dm0nd” in a few hours. There are other variants of attacks that will help accomplish the same results, such as brute force or offline attacks. These methods are similar to the dictionary attack and accomplish the same goal.

What is being done to address the password problem?

Organizations are attempting to solve the password problem by focusing on using strong password management policies. Most organizations now implement password policies with high complexity requirements (for example, a minimum of eight alphanumeric characters that must contain at least one letter and one number) along with an expiry date (for example, 30–45 days). There is an unfortunate assumption that this method will make it difficult, if not impossible, for an attacker to break a password.

Although complexity may lengthen the time it takes to complete a dictionary attack, it doesn’t mean the attack won’t be successful. The expiry time states that an attacker must complete the brute force or dictionary attack within that period of time, but with the availability of powerful computing systems, that is not a big obstacle for attackers.

From a user perspective, it takes longer to memorize your new passwords, and by the time you get comfortable with one you are already being requested to change it. Frustrated users are now writing passwords down on sticky notes and hiding them under their keyboards or sticking them directly onto their monitors. And how secure is that?

To prevent users from reusing their passwords during the forced change process, administrators have added requirements to not use the last five or so passwords. Unfortunately, this leads to the adverse behavior where some users will take an extra 10 minutes of their busy day to reset their passwords over and over again until the password history resets itself so they can use their original password. To solve this issue you can setup a minimum password age, but at the end of the day we are not really solving the password problem. Instead, we are just adding more hurdles that users have to go through to make it slightly more difficult for attackers to figure out.

Many security experts will also tell you to increase your password length to more than 15 characters to help prevent a hash from being created in the Security Accounts Manager database. This will make it even more difficult for attackers to use the all too famous dictionary attack. Can you imagine what your users would say if you even uttered the number 15?

At this pace, everyone will be required to have a minimum of 50 alphanumeric characters that stem from characters from multiple different languages. These stronger policies will continue to lead to user behavior that either circumvents the policies or effectively reduces the security of the system. Such solutions are the equivalent of putting duct tape on a broken duct rather than replacing it with a system that works. (Microsoft's current guidance suggests using long pass phrases, which would help users adhere to these password policies, but this method has not caught on in the broader user base.)

Finally, overall password management costs have skyrocketed. Users are unproductive when they get locked out of their systems due to forgotten passwords. The average help-desk call costs an organization about US$50. Can you guess what the number one call request is? If you guessed password resets, you are correct. In some organizations it can take anywhere from 15 minutes to hours before a user can get a password reset. Today there are a slew of self-service password management and reset tools available in the market, but they are still costly to implement and use.

How do we become secure?

We have to recognize that user passwords are no longer a good enough solution and that moving to multifactor authentication is a better way to help ensure secure access to resources and to protect those resources. This requires a minimum of two authentication methods. The best multifactor authentication, in my opinion, is the combination of one or more x.509 certificates on a smart card for identification and authentication coupled with an alphanumeric-enabled PIN. The great thing about smart cards is that you do not have to have a lengthy or complicated PIN. The PIN here is used to unlock the contents of the smart card, in this case it is used to access the digital certificate that identifies who you are. Password attacks are far more difficult to conduct on the electronics chip making attackers less likely to even consider the case.

A smart card doesn’t even have to live on the traditional credit card size plastic. Instead, you can have a USB thumb drive that contains the smart chip. This will help you reduce your initial cost by not having to purchase a smart card reader for every user. The one advantage of having the credit card size plastic is that you can add a personalized ID badge and use it to enable physical access to offices, server rooms, etc.

Smart cards can be used in different scenarios such as client authentication, code signing, remote access authentication, and e-mail signing. When you have a public identity (something you have) and a private PIN (something you know), it is less likely for anyone to be able to impersonate you. The only way someone can do that is by getting access to both your physical device and your memorized PIN.

A one-time password (OTP) system and biometrics are other alternatives that can help secure your information, but they have some unacceptable shortcomings that organizations have to deal with. OTP is limited to a few scenarios such as client authentication. You don’t get the ability to digitally sign e-mail messages, and you have to type in the eight or so numbers every time you authenticate. And because there is no easy way to federate identities with OTP, it is difficult to share identities between different organizations. Biometrics technology can be a great solution if you combine it with a PIN or password. But the reliability is less than optimal because biometric identifiers still produce a significant level of false positives. And it is very costly to acquire reliable devices and then to deploy the solution to every desktop.

If smart cards are so great why doesn’t everyone already have one?

Many European governments have already deployed national identification cards that contain a smart chip. Even the United States has a mandate under Homeland Security Presidential Directive 12 to deploy smart cards to every government employee in the coming year. Commercial organizations are reluctant to deploy because of the perceived complexity of deployment.

To deploy smart cards you need to build a digital certificate infrastructure, which includes a certificate authority (CA), a card management system (CMS), and an LDAP directory. You’ll also need the smart card, smart card readers, and middleware applications so that the smart card can interact with your operating system. The most difficult part of deploying such an infrastructure is the low availability of card management systems in the market. CMS is a set of management tools that enables you to easily deploy smart cards by giving administrators the capability to provision, deprovision, and conduct other management tasks on smart cards. Most companies have had to build their own CMS and have spent anywhere from three to six months to just get the basic functionality up and running.

Vendors and solution integrations are starting to make it easier to implement a good card management solution. Microsoft recently announced its own CMS solution called Microsoft Certificate Lifecycle Manager (CLM), which is currently in Beta 1. CLM is a workflow and policy-based system that easily allows you to centrally manage the lifecycle of digital certificate or smart cards. You can even give your users the ability to manage themselves through the self-service tool. This application makes it easier to deploy smart cards throughout your organization. Microsoft also has several partners lined up to help you easily acquire smart cards for testing CLM.

No matter which multifactor authentication you decide to go with, you should now know that a simple or complex user name and password are no longer considered an option to secure your computers’ assets. Multifactor authentication is the way to go, and vendor solutions for managing the complexity of these systems is making it a reasonable project to solve the authentication challenge.