In most enterprises, the use of passwords is the primary means of authenticating a user. Unfortunately, it is also the weakest form of authentication. In today's digital world, the ways to bypass this form of security are trivial. While many enterprises focus on strengthening passwords, these efforts are by and large meaningless in the face of the tools that attackers can use. The tools provide criminals with easy ability to hack, trap, or crack most passwords easily.
The first attack tool against password authentication is a hardware keyboard logger. Legally available online for $40, these devices plug into the connection between the keyboard and the computer. They record every keystroke, with some models able to do time and date stamps against the data. A hardware keyboard logger looks like a small hardware piece of computer connections, takes only 10 seconds to install and is not detectable by any means of commercially available software.
The use of password authentication is further weakened by software attacks. Password authentication logging software programs are embedded in email that are activated by clicking on the links in the email or by visiting a fake site that looks like the normal commercial site (phishing attack).
It is now common that large commercial organized crime web gangs have developed keyboard logging software such that it will recognize the user's bank id and authentication passwords you enter when you logon to your bank's website to conduct a transaction. The id and password information is then sent within seconds to the organized crime servers somewhere in the world. They are then auctioned off, via the internet, to other organized criminals. The use of the id and password is then quickly used to begin emptying your bank account.
The use of passwords can be used in a layered identity defense strategy. What this means is that your enterprise will allow the use of user id and password to gain general access to low risk enterprise applications and information e.g. the enterprise portal. However, when the user tries to access applications or information that is higher risk, the enterprise should require stronger authentication. This may include the use of security tokens, digital certificates, biometrics, smartcards or combinations thereof in addition to the password.
Sign On Authentication Access
Control Authentication Authentication-Enterprise
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing