• Home
• Archives
• Newsletter
• Career Center
• White Papers
• Contact

Hot IT Jobs

Information Management-BI/DW-Manager

.Net Developer

Internet Sales/BDC Sales

US IT BA Manager I PS 560

Sr. Application/Web Developer - .NET (C#)

Network Security

Improve password protection

Smart cards use two-factor authentication to strengthen network security.

by Dovell Bonnet

Protecting sensitive financial, research and customer information from unauthorized individuals is the primary goal of password security. Convenience, however, dictates that most users choose easy-to-remember passwords, use the same password for every account or write their passwords down on paper and stick them by their computers. While these practices make managing passwords easier for the user, they create network security risks.

To combat these risks, IT security managers often impose stronger and stricter password security policies. Users are often asked to increase the minimum number of characters to eight, mix different characters, numbers and symbols, or change their passwords every 30 to 60 days. The latest password-cracking programs, however, can easily crack most users’ passwords within minutes. Moreover, simple password protection cannot guarantee that an unauthorized user will be unable to gain access to the network, because even the best password can be stolen.

Combining a smart card, with a password or personal identification number, however, can help ensure that only authorized individuals are granted access to the network. Four popular systems available are: certificate-based public key infrastructure (PKI), one-time password (OTP) tokens, server-based single sign-on (SSO) software and password managers (PMs).

Before implementing any of these technologies, the enterprise should first consider its existing infrastructure, budget for upgrades and modifications, support capabilities, level of protection needed and convenience the solution will provide to the user. No matter how great the technology promises to be, if it is placed in the wrong environment, if it is not fully supported, or if it is cumbersome for the user, it will fail to meet security objectives.

PKI is the most secure of the smart card-based technologies. It uses public/private key pairs, which are typically generated and stored on a smart card. It allows the user to sign legally binding contracts over the Internet, ensures that documents sent are identical to those received, guarantees that only authorized people can access the documents, and proves authorization of any online transactions.

With this high level of authentication, however, comes a number of in-house server modifications, support and maintenance, user training, technology upgrades and annual subscription fees. There is also a complex infrastructure and cross relationships between certificate authorities, certificate enrollment agents, certificate revocation lists, and other entities to build the complete PKI environment. This can typically take a company more than a year to complete the investigation, integration, deployment and training.

One-time passwords use a battery-powered card or token that periodically generates and displays new passwords on a small liquid crystal screen. The advantage with OTPs is that passwords are always changing. Therefore, if a password is ever compromised it will only be valid for about a minute. The user must manually enter the displayed number into the computer within a short period of time before the number changes again.

There are also some implementation issues that can occur with the backend synchronization of OTPs. The network, computer and/or Web site should also be generating the same new password at the same time for each token to authorize access. If they are not in sync, then even legitimate users will be locked out. In addition, different networks and Web sites cannot be synchronized to the same token, which requires the user to carry a separate token for each account. The backend infrastructure, support and maintenance costs of OTPs are lower than PKI, but are still high.

Server-based single sign-on applications allow the end-user to access multiple applications within a corporate environment without having to log on to each application individually. SSO typically requires a password or certificate that can be stored on a smart card to access the directory. Once authorized, the user opens the file, application or Web site through the server and SSO, and then automatically submits the user name and password into the logon fields.

All passwords are stored in a single network directory (e.g., Active Directory for Windows) and maintained by an IT manager. As new applications and sites become available, the IT manager must add those to the Active Directory. One obstacle is that the SSO solution cannot log a user onto the computer like Windows, because the network is not yet connected. Therefore, SSO solutions need to integrate other log on technologies like PKI, OPT or password manager smart cards to secure the entry.

SSOs do not require the large investment in technology that both PKI and OTPs do, but they do require IT management and maintenance. Since all passwords are stored on a server, the user must always be connected to the company’s server to access any other Web accounts. This could cause a strain on the network if users travel or work offsite.

Password managers come in a wide assortment of solutions and technologies. They can be software only, token or smart card solutions. PMs require little to no IT maintenance and no backend computer infrastructure modifications. They are relatively inexpensive and designed to track and manage secure passwords, which takes the burden off of the user.

One drawback of the software solutions is that passwords are only available on the computer that has the passwords stored on it. Some flash drive solutions can carry multiple passwords on the device and never store them on the computer, which makes them both convenient and portable. If the token is lost or stolen, however, a “brute-force attack” can be used to crack the token.

Newer, smart card-based password managers can be both secure and inexpensive authentication solutions. They are stronger than software-only or flash drive PM solutions, since they store the passwords on the card or token, but they also limit the number of false attempts to unlock the smart card.

Some are easy enough for the individual to install and secure enough for the large corporation to rely on. The weak point of the smart card-based PM solution is based on the strength of the passwords used, but because users do not have to remember or type their passwords with this solution, more complex and stronger passwords can be used.

Dovell Bonnet is the founder and CEO of Access Smart, Ladera Ranch, Calif.
For more information (click here)