Cybercrime

E-BUSINESS SPECIAL REPORT

The Password Is… Confusion

For Web travelers seeking to lighten their load of usernames and passwords, help has generally been slow to arrive. Some relief for the forgetful has come in the form of functions — installed on popular operating systems — that serve to ease the mental burden of those surfing from a single computer.

“Microsoft and Apple both offer effective password wallets as part of their operating system architecture,” Gartner research director Ray Wagner told the E-Commerce Times. “They seem to be working very well.”

But carrying those passwords to other PCs and devices remains a big challenge for users. While corporate users generally have more options in this area — because of the wide array of products specifically designed for managing access to corporate networks — consumer choices have been more limited.

Portability Lags

“Users already have their browsers’ remember-this-password features,” Forrester analyst Laura Koetzle told the E-Commerce Times. “Microsoft’s Passport attempted to tackle [the issue of password portability], but it hasn’t seen enormous uptake from consumers.”

Other proprietary products are designed to function like digital wallets, with various options for storing and retrieving data on the go. For example, Arizona-based Selznick Scientific Software sells a product called PasswordWallet, which lets Palm OS users synchronize passwords with those stored on their PCs.

PasswordWallet lets users encrypt their passwords with a 448-bit key — a strong level of encryption — and set up a single master password to access all others.

Wallets and Keys

Wallet services — like the one offered by Gator — have also been seeing increased demand as more users come online. Gator currently claims to have 8 million people using its free browser add-on, called eWallet. The software automatically fills out forms and login screens, and it can compare prices when users shop online.

Relief from password overload can also be found in hardware. According to Jon McCown, a security researcher at TruSecure Corporation, several companies are offering access devices that are small enough to be carried on a key chain.

These security keys are designed to contain passwords and other user data. The devices work like a bank ATM card. The user inserts the key into the computer’s universal serial bus (USB) port and then accesses files or Web sites once the computer recognizes the key’s clearance level.

“The key interacts with software installed on the computer that allows it to talk with your key,” McCown told the E-Commerce Times. The key system can be used at any computer with the recognition software installed.

Relief a Year Away

However, by and large, most of the technologies now in use are geared toward helping users store their login information on a single home or laptop computer. Those who need mobile services that let them automatically log in to their accounts from any location, without having to retrieve passwords from their home PCs, will likely have to wait another year.

Gartner’s Wagner said that portable password management should become available by the end of 2003. “By then, there might be a system in place where you can have automatic password entry on several sites, provided you have been verified at one other site that is affiliated with them,” he said.

One potential roadblock to portable password management is that the business and development communities have not yet agreed on technology standards to make passwords portable and secure.

Liberty vs. Microsoft

The central debate over the portable-password issue has been between Microsoft and the Liberty Alliance, a group of more than 60 business and consumer organizations — including firms like HP, Sun Microsystems, GM and American Express. The Liberty Alliance opposes any plans to centralize passwords and other personal data through a proprietary service like Microsoft’s Passport.

The Liberty Alliance recently introduced “open federated network identity specifications” to provide simplified logins through opt-in account linking, a technique that would letusers link their login accounts to various identity-verification providers.

Once a user’s accounts are “federated,” that person would then be able to log in and authenticate at one linked account, then navigate to another linked account without having to log in again. And companies that link accounts would be able to communicate the type of authentication required for logging in.

Once a user logs out of the site where the initial login took place, the technology would automatically log the user off all other linked sites.

Bridging Differences

Responding to ongoing controversy over Passport, which is part of Microsoft’s overall .NET Web services strategy, Microsoft recently announced its own software for sharing information between corporate sites. Called TrustBridge, the software will let businesses share user identity information between applications.

The ultimate solution likely hinges on whether Microsoft and the Liberty Alliance can reconcile their differences.

Wagner said that a promising route to true password portability might be a technology called Security Assertion Markup Language (SAML), which is based on XML. With SAML, security information is expressed in the form of assertions about subjects that have an identity established within a given security domain, much like the new Liberty Alliance specification.

In the meantime, in the absence of any agreement between the major password-management players, smaller vendors like Gator and Selznick will likely continue to improve their software with better encryption and additional features to help more users find their way out of the password-management jungle.

2 Comments

  • Problem solved. I found a great company at Comdex this past fall. Trio Security. They are a small start-up but have developed a program that combines three factor user authentication, single-sign-on, and access management (evidently for sys admins). They use AES encryption.
    The software they sent me allows me to keep all my usernames, passwords, domains, urls in one vault, protected by three factor authentication. So I authenticate, see an entire list of all my accounts, choose one and it automatically launches the application or website, logs me in and it can generate long strong passwords for me so I don’t have to remember any of them. Plus, I only have to authenticate once. It also provides three factor authentication to protect my entire device. This seems revolutionary. I have a new Kyocera 7135 smart phone and I take it everywhere. For security purposes, the power on protection is great. When I get into the office in the morning, I authenticate, put my phone in the cradle and launch all my applications that I need to. I currently have 79 accounts that it manages for me and I don’t have to know any of the passwords. They are all 21 characters in length and include digits, upper case, lower case, and special characters. I am not sure why I haven’t heard more from the company, but this is great technology.

  • For years I have been using a little utility called PassKeeper to store passwords in an encrypted form, safely on my PC. The author, Brad Greenlee, a Hungarian software writer, apparently distributes it as a clever way to let the world know he’s out there.
    I checked and it is now available from his Web site, http://www.passkeeper.com. It is a small program, installable in any folder, and simply requires that you enter a single password to open it.
    Options are simple too, ADD, EDIT, REMOVE and QUIT. There is space for notes, such as long account numbers I may need to copy/paste into forms, for example.
    When I travel, I copy its three files (including the executable) to a diskette and take it with me – if I’m not taking a laptop.
    Oh, yes, I also take along an exported HTML file of my Internet Explorer "favorites" and have room to spare on the diskette. Hope that helps someone.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

How often do you receive an email that you suspect is fraudulent?
Loading ... Loading ...

LinuxInsider Channels