Wednesday, March 12, 2003

Strengthening the weak link in enterprise system security. Last year, I wrote a short post pointing out that the weak link in enterprise security is the user, in particular the typical user's inability to formulate or remember strong passwords. Strong passwords -- those that follow certain rules such as minimum length, mix of characters and numbers, and avoidance of dictionary words, etc.-- are difficult to break, even with automated cracking tools. But strong passwords are difficult to remember. So, most users recycle the same personal passwords over and over, employing names of spouses or pets or birthdays that are both easy-to-remember and easy-to-guess. It's a serious problem. One report last year found that a consultant hacker using a publicly available password cracking program was able to hack or crack 30% of the passwords for 10,000 user accounts at a health care firm -- in less than an hour!

So, I paid attention when David Harding from BrowserPlus offered a couple months ago to let me beta-test a new "extension" to Internet Explorer, called Login Manager, which he claimed was a solution to the problem of maintaining strong passwords. The program does a lot: it provides a searchable bookmark capability, it can automatically populate Web forms and log you into a favorite site with a single click, and it can generate, remember, and manage strong passwords. This last point is goes to the heart of the "weak link" problem.

Login Manager turns typical password administration upside down. Instead of asking the user to generate or remember a strong password, the Login Manager can be configured to manage all passwords on behalf of the user. For the highest level of security, an organization’s security administrator can even hide passwords from the users themselves. Although hiding passwords from users might seem counter-intuitive, there are several attractive benefits to this approach:

  1. As Kevin Mitnick points out, the easiest way to steal a password is to ask the user for it. A significant number of users are vulnerable to "social engineering," where the password thief over the phone poses as someone with legitimate need for the password. But if users don't know their own passwords, they can't give them away.

  2. If employees don't know passwords, they can’t share them with friends or relatives. No more "sharing" of access to proprietary research sites, such as Gartner. More seriously, no more sharing of access to company intranets with outsiders, such as recruiters, or competitors.

  3. If employees don't know passwords, they can't take them when they leave the company. No more worry about terminated employees continuing to access employer Web accounts or extranets.

  4. Finally, in some departments (e.g. purchasing) it is necessary for several users to share a common "corporate account" and password (e.g. several buyers in Purchasing using a common account for an e-commerce site). But if the users don't actually know the password, it's no longer necessary to change it every time one of them leaves the company.


Because Login Manager operates as an extension to Internet Explorer, it won't administer passwords for legacy client-server or mainframe systems. Still, with more and more systems adopting a browser client, in some companies it could serve as an important element of a comprehensive security policy.

A 30 day free trial of the Login Manager (both home and professional editions) is available at the BrowserPlus web site.

No comments: