Passwords May Soon Be History

Alternatives to the irritating and ineffective security system are on the way

When I fire up my computer in the morning, the first thing I do is use a password to log on to the workstation and the network. Starting my mail requires another login, as does browsing the Web through the corporate firewall. Getting into our editorial production system requires another login. And I haven't done any work yet.

Password profusion has become a serious annoyance, especially to people like me who work on corporate networks. And it's more than a nuisance. The difficulty of memorizing multiple passwords and remembering which password goes with what account drives people to such practices as using the same password for multiple accounts. Some people choose easy-to-remember--and easily guessed--passwords such as a phone number. Others paste their passwords to their monitors with sticky notes. By encouraging such practices, the ceaseless demand for passwords can jeopardize the network security it is designed to protect.

This situation is not likely to improve soon. Programs from different companies don't cooperate, so neither your e-mail post office nor your accounting system may understand that you have already logged in to the network. Systems designed to provide a single login for all services are often very difficult to implement.

Over the longer run, things will get better, and passwords, which experts regard as the weakest link in network security, will become less important and may even disappear. Security specialists say accounts can be protected by three things: something you know, such as a password; something you have, such as an access card; or something you are, such as your fingerprint. Over time, what you are and what you have, probably in combination, will replace what you know.

Perhaps the most widely used security devices today are tokens, like the RSA SecurID from Security Dynamics. The SecurID is a card or a key fob that displays a six-digit number that changes every 30 seconds. To log in to a system, you have to enter that number while it is displayed, making it, in effect, a password that is only used once.

Smart cards are a step up in convenience and security--a rare combination. They can be inserted in a special reader or incorporated into an ID badge that can be read from a distance. All the user has to do is enter a PIN number. Most systems will lock a workstation if the card is removed. The system is expensive, though, and many users find it cumbersome to carry a card around all the time.

The hottest idea in the security field is biometrics, the use of some physical characteristic that uniquely identifies you. The most widely used systems use a small pad that reads your fingerprint and lets you in only if it matches the record on file. Others use a small camera to scan the iris of your eye for the same sort of pattern checking. Voiceprints and signatures written on a pressure-sensitive pad are also possibilities.

Biometric approaches are promising but problematic. Designers have to make sure that the computer can't be fooled by, say, a recorded voice or a latex mold of a finger. And the system needs really strong defenses so people can't steal the digital version of your fingerprint or other ID. If your password is compromised, you can set a new password. If you lose a smart card, it can be voided and a new one issued. But if someone gets hold of your digital fingerprint, there's no way to grow a new finger.

Eventually, a combination of smart cards and biometrics will likely replace passwords on corporate networks. But the approach will work only if software companies agree on a common approach to security, since no one wants to carry multiple cards.

In personal computing, there's progress in easing password hell. Microsoft Internet Explorer 5.0 can remember passwords for Web sites. Apple offers a similar feature in its new Mac OS 9. And Microsoft is using a new system called Passport, which provides a single login for all Microsoft Network services.

Be a bit careful in using these services, especially IE's password-saving function. If you leave your computer, someone else could get onto a Web site pretending to be you. Especially in the office, you may want to decline IE's offer to remember passwords.

In the business world, security is regarded as paramount. The trouble is that if security measures are too obtrusive, workers will find ways to frustrate them. If companies really want to keep their networks safe, they will have to make security easier.

Questions? Comments? E-mail tech& or fax (202) 383-2125

    Before it's here, it's on the Bloomberg Terminal.