Navigation: » home » contact » sales » services » support » about
Customer: guest
 Search:
»

News:

Features:

Facilities:

Site Status:
» demo unavailable
» express available

Customer Status:

Shopping Basket:
» empty

Call us now:
» 0845 5279766


News:

Article:
» date
6th February 2004
» title
how secure are your user passwords?

Businesses with proper user password schemes? We see a few on our travels, password schemes that is, and believe me, 99% of businesses employ exactly what you’d expect. The sort of passwords that the administrator will joke about. “password”, blank, or your name with a single numeric on the end.

Why is this then? Firstly, none of us can remember a secure password (a long alpha-numeric sequence), and if we can, do we really want to spend time typing it in? Secondly, if the user is in the office, how are we going to log onto their system if we don’t know each other’s passwords? Finally, do we really care about internal security?

Well first off, let’s deal with the initial question. How can we implement secure user passwords, if we can’t remember them? If we write them down, or tell others, then this is just as insecure. Well there are lots of new and exciting ways in which this problem can now be resolved. Science fiction is catching up with us, and is affordable. It is now possible to have a finger-print scanner built into your mouse. To log into Windows, simply put your thumb against the mouse. Another solution has you wear an identification card, which your computer can detect when you are within a specified distance. When you leave that area, your computer locks down, much the same as with a password-enabled screen saver. When you return, your computer automatically releases itself from it’s locked state.

At Bookanengineer, we utilize another solution called SecurID. As our engineers are often on-site, or work from home, they need to have the ability to access our web-site, to login and gain access to all of our customer management facilities on-line. Our web site is encrypted to ensure that our customer’s data is protected, but if our passwords were to fall into the wrong hands, our data would be accessible to anyone on the Internet. To counter this danger, our web-site is SecurID integrated. With SecurID, each of our engineers has what is called a key-fob, this is a little device, no bigger than your car keys, which has a display and presents a unique 6-character key-code every minute. Each and every key-fob is unique, and in turn, each key-code is unique. This key-code is in effect, a password which changes every minute of the day.

What if the key-fob is stolen? This problem is prevented by the user remembering a 4-character PIN code, just the same as with a credit card, you use the two in combination. With this system, you in effect have a credit card where the card number changes every minute. So one without the other is useless.

What if a hacker captures the code that you are using, by looking at data on the Internet? Or how about someone looking over your shoulder? Well it doesn’t matter, because the SecurID key-code generated can only ever be used once. So even if they were able to capture your password, and use it during the one-minute window of opportunity, it would already have expired.

So how could such technology fit into my environment? Well the software that the key-fobs authenticate against will fit into almost any environment. If you have users that dial-in from home, or use VPN’s from home, you could use this to replace your password. If you have an integrated web-site, or web-based application like ours, you can use this. If you just have Windows desktops, you can log into Windows using this. If you have a thin-client solution, your users can log in using this. If you have a Unix application, or a Linux application, the users can login using this.

Okay, so looking at points two and three. Do we really care about user security? Maybe not, maybe you’d just like to protect the financial department, or company directors, and that is something you can do, it does not have to be a blanket security solution. Or maybe user security is something you need to be more concerned about? We’ve come across plenty of users who get most upset when they leave work for a day, only to return and find that their software and documents have been tampered with. We also know that management are sensitive to email and Internet abuse. But how can you seriously investigate abusive users, when they can argue that the entire office had access to their system?

As for needing to access a user’s system when they’re out of the office, that’s a tricky one. But if you implement an efficient security policy, important documents should be shared centrally where they can be covered by backup, and made accessible to the system administrator.

This solution is currently on promotion, with all the software required, and 25 key-fobs, available for £2,550 (as opposed to the RRP of £5,425!), we feel this is an extremely impressive security solution, at an affordable price.