The Government Computer News Website (gcn.com) recently carried an article by its senior writer and author of the CyberEye column, Mr. William Jackson, on password management. The article, mystically named ‘Password management’s secret ingredient’, talks about generating ‘secure’ passwords and mentions a few password management tools. The article also quotes Mr. Ron Ritchey, a principal in the technical service practice a Booz Allen Hamilton. He states that the ‘key to passwords is risk management’.

“There are technical solutions for this. There is also strategy that can be applied.” However, he adds that no approach is a proverbial silver bullet.

But don’t you think handling multiple passwords a headache? Best practices for password management require users to change passwords on a regular basis – typically every 90 days. Many companies introduce strict rules on password complexity. If you have multiple SAP systems, the users may have to do this multiple times, leading to significant effort.

According to a white paper on IT and SAP security, the password mechanism has reached the end of its life-cycle. It has lost its ease-of-use character and simplicity, and has become more of a burden than an easy solution. For the sake of security, companies have introduced password policies enforcing complex passwords consisting of numbers, letters, and special characters, leaving weak, easy-to-guess ones behind. Moreover, they set a minimal length and time limitation on them. Such a policy may make guessing more difficult and the applications more secure, but in turn users struggle with remembering such complex passwords. This is where the human factor fails; users choose the freedom of simplicity by writing them down or by storing them as plain text on easy-to-access mediums despite ‘technical solutions’.

So is there a solution?

Users don’t have to worry about these administrative changes anymore, if Single Sign-On is used – and that too coupled with two-factor authentication.
A company caught in a situation where a password has been stolen is put in a defensive position and this could find itself in an impossible situation when further (forensic) investigation shows that password sharing is a common practice insight the company.
Mr Ralf Nellessen, SAP security expert, says that there is no surprise that passwords offer weak authentication. “One important aspect that tends to be overlooked is that companies should be able to prove that their accounts cannot be misused. By using passwords, you do not have the ability to prove that only a specific person (for personal user IDs) or only a specific system (for technical user IDs linking different computers) has access. Instead, passwords actually foster sharing of user accounts – sometimes with a financial benefit for the company, such as through ‘reduced’ user license costs.”

“A company caught in a situation where a password has been stolen is put in a defensive position and this could find itself in an impossible situation when further (forensic) investigation shows that password sharing is a common practice insight the company.”

However, there are solutions for personal and technical user IDs. Mr Nellessen states that personal passwords can be made secure and their quality can be improved while maintaining usability by reducing their numbers through a single sign-on solution. Alternatively, passwords can be replaced “by a two-factor authentication with some hardware involved, such as a smart card with PIN, SecurID Token, and so on.”

This model of authentication could also check phishing attacks by reducing the opportunity window. The opportunity window is wide and open with static passwords. However, a second authentication factor can narrow down this opening.

There is one expert company that provides the ideal solution when it comes to Smart Card and Token Management Solution for large enterprises – SECUDE.

For more information on two-factor authentication solutions, please go to http://www.secude.com/Secure TrustManager.