Software That Asks "Who Goes There?"

Help-desk overload, high costs, and legal requirements are sparking a revolution in the art and science of managing employee passwords

By Alex Salkever

It's enough to give any business a headache, let alone a health-insurance company. Tech-support staffers at Thousand Oaks (Calif.)-based insurer Wellpoint (WLP ) say they receive 14,000 calls every month from employees who have forgotten their computer-access passwords for the company's Intranet site and need a manual reset. Each reset can cost anywhere from $25 to as much as $200 for an employee using multiple systems or software programs. For Well point, such remedial efforts translate into a minimum annual cost of more than $4 million.

That's minuscule for a company that's one of the country's largest insurers, with $12 billion in annual revenues and 16,000 employees. But password resets also pose a major security hazard. Malicious hackers often call companies and pose as phony employees in the hope of snagging passwords that will let them enter systems.

And keeping close tabs on passwords acquired an added urgency for health-care companies in April, 2001, when a new federal law took effect. The U.S. Health Insurance Portability & Protection Act (HIPAA) mandates costly penalties for companies that don't guard their medical records carefully.


  For all these reasons, Wellpoint is now rolling out a password-management system from Courion, a security-software maker based in Framingham, Mass. If employees lose their passwords, they can change them over the company's Intranet or even via telephone, using interactive voice-recognition technology and by answering a series of personal questions about, say, their favorite foods or colors. Only when a user can't provide the appropriate answers is the help desk summoned.

Already, the effort has started to show signs of paying off. "It has definitely reduced the number of calls for password resets from the employees who are using it now," says Wellpoint security engineer Tom Kiger.

Wellpoint and other health-care companies are hardly alone in experiencing password pressure. Financial outfits are also feeling the heat, thanks to the Graham-Leach-Bliley Act. Taking effect in 2001, that act directs similar data protections and auditing requirements on the financial sector. And those are only the legal imperatives. As the Enron scandal continues to simmer, companies are seeking better ways to audit everything that runs across their networks.


  No surprise, then, that at least a dozen companies are pushing hard to grab market share in this sector. In addition to Courion, Access 360, M-Tech, Netegrity (NETE ), IBM's Tivoli unit (IBM ), Computer Associates (CA ), Netmagic, Proginet, Waveset, and BMC (BMC ), among others, are all vying for business.

The current value of the password-management market is tough to pin down. Some companies -- such as Courion, Netmagic, and M-Tech -- treat password management as a stand-alone product. Others, including BMC and IBM, sell it as part of larger software offerings. In March, 2001, Novell put a $2.2 billion figure on the market, but it could have a lot further to grow as enhanced security concerns make password paralysis a more acute problem.

Not all password-management systems are alike, however. Some, such as the those offered by Novell and Tivoli, strive for so-called single sign-on. That means one password will grant access to all the various applications an employee may need, from proxy servers to e-mail to databases and self-service human-resources software systems.


  The benefits of single sign-on are ease of use for employees and an incentive for companies to enforce so-called strong passwords ­-- the sort that often involve alphanumeric combinations, which are hard to guess and can't be obtained by a simple "dictionary" hack attempt, when an intruder tries large numbers of random word combinations.

The downside? Sometimes a single sign-on system requires more integration, and once it has been cracked, an intruder can access anything available to the original account holder. That's why Courion and M-Tech say they offer password-management systems that make it easier for users to reset their own multiple passwords without turning to the help desk. They can do this through smart cards, biometrics, or, more likely, by asking the user a series of personal questions that must be answered correctly.

Many Web sites already use a single level of this technology by including "password hint" sections to verify that the person asking for a new password really is the account holder. Courion and M-Tech, however, take it a step further. They also can create entry systems that bypass the first level of network-management software, such as Novell NetWare.


  This type of software can prove a major bottleneck because, if users forget a password, they can't even log onto the network to use any self-service password-reset systems that might be in place. "We can run a Java applet right from the desktop that lets you access the system without logging on to Novell or other network-management software," says Tom Rose, vice-president for marketing at Courion.

Still, remembering and resetting all these passwords might be such a chore that employees call the help desk anyway. Courion works hard to make sure that doesn't happen. It encourages internal company efforts to promote the software's use -- even offering incentives such as prizes for users of the new password systems.

Companies may find it easier to use smart cards or ID tokens such as RSASecurity's (RSAS ) SecurID system, which is based on hand-held devices that generate time-stamped numbers. These must be matched with the correct numbers generated by the RSA server that controls access to critical systems.


  These smart cards are great for systems requiring a single sign-on -- unless an experienced hacker steals one. Passwords also might face more competition from biometric ID systems, particularly as the cost of installing and managing these biological readers comes down.

For now, however, standard password systems are looking more and more passé. Courion and M-Tech both claim to be riding the boom. "We have been growing at 200% to 300% per year, and in 2002, despite the recession, we are only seeing an acceleration of that growth," says Idan Shoham, M-Tech's chief technology officer. BMC's password-management system, which is part of an integrated security package, is also gaining popularity, according to business-development manager Ran Tamir.

The future? Remembering your favorite color or restaurant -­- or recalling a single, complex password to open all your programs from a single screen ­-- might be the standard in a few years. If that happens, password paralysis could be a thing of the past.

Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.