Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on October 17, 2006 7:43 PM.

The previous post in this blog was Are five anti-virus softwares enough for an enterprise?.

The next post in this blog is Is the botnet battle already lost?.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Are five anti-virus softwares enough for an enterprise? | Main | Is the botnet battle already lost? »

What is the right password strategy?

A report from September by Nucleus Research "What is the right password strategy?" found out "Unfortunately, more than one out of every three enterprise users keep a written record of their passwords. Contrary to popular belief, a survey of
325 users found that making users choose complex passwords or change
them frequently doesn’t make them more likely to write them down."

They note "Of the third of users that write down their passwords, one third of those do it on
paper, such as a sticky note. Even more dangerous are the other two thirds: they
keep their passwords as a text file on their laptop PC or mobile device, where it
could be easily lost or stolen."

Further "Although single sign-on may be convenient, it didn’t reduce the likelihood users
would write down their passwords either: whether users had one, two to three, or
four or more passwords to remember at work, roughly one third of all of them
wrote down their passwords."

Okay, all of this makes sense. However, their recommendation does not.

"Educating users on password security may have some effect. However, this study
shows that if you’re looking for real access security, you’ll need to look beyond
passwords. Some companies look to biometrics to increase security; other vendors
such as Unomi are promoting cognitive biometrics as a higher-level authentication
technology. Companies concerned about password security should continue to
watch innovation in the authentication market."

This is what I call the "silver bullet solution". A BIOMETRIC IS NOT A SECRET. Further, there are wide differences in the accuracy, postive and false negatives for different typed of biometrics. Biometrics alone are not the answer.

Sorry to keep repeating in each blog the same recommendation but here it is again. Enterprises need a layered enterprise identity strategy. It could start out with one password to gain general access (recommended using a keyboardless entry), then as risk rises the user should be required to provide combinations of something they know (which normally is a secret), something they have (like a smart card, a secureID token, etc) and something they are ( one of many types of biometrics).

There is no magic bullet.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on October 17, 2006 7:43 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/8

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)