Passwords are dead.. tell me something I don’t already know!

Dave over at eDave.org alerted me, via his podcast, to a keynote adress (link to Techworld.com) by Bill Gates, in which he says: “The move towards smart cards is the way forward,” said Gates in his keynote at IT Forum, in Copenhagen this morning. “The idea is to have a smart card that connects up in the best way – a .Net based smart card.”

Well Duh.

I mean Duh on Smartcards in general, and the idea that passwords are dead, (I’ll have to dig in a little deeper to get what the difference is between a .net based smartcard, and the ‘classic’ one you can use today.)

I’ll tell you something else.. I dont think passwords ever had any life to them to begin with.

People just dont take passwords seriously. I see this is in every aspect of computer use, from the postit-sticking end user, to the password-printout toting sysadmin. Most companies i have been at dont have any kind of password policy in place, and those who do usualyl stick to the 3-month, strong password policy, which is usualy a faliure because some, if not most uses, will write down there hard-to-remember passwords somewhere nearby their pc’s..  and sometimes on the good ole post-it on the screen.

Not only do these people often not realise why passwords are used to begin with, but stringent password policy is usally such a pain-in-the-ass for users, that they start to work around it in these kind of manners.

On the IT department side, things are usually not much better. Often have I run situations where either the password policy, and I use the term policy lightly, is to have a single administrator account+password, that is used everywhere, or to have so many passwords for so many different systems, that administrators have to go around with printed lists of passwords (which get lost and may fall into wong hands, I have seen exaples of this often)

Of course both methods are as incorrect as you can possible imagine. The correct way security should be handled in with single sign-on, as much as possbile. Give admins their own, private, admin account, and give them the rights to do their work, no more, no less.
Audit them, have a good audit policy in place, disallow use of general accounts like the administrator account, in fact accounts like this should be disabled or at least renamed.

Across disparate systems, one should try to impliment single sign-on technologies, with products such as Microsoft Identity Integration Server (MIIS), and/or other federated directory syncronisation services. A good security infrastructure is only succesfull if its not a burden, if it is transparent to those who use its services.

MIIS 2003 manages information by receiving identity information from the connected data sources and storing the information in the connector space as connector space objects or CSEntry objects. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects. This process allows data from separate connected data sources to be mapped to the same MVEntry object.

For example, an organization’s e-mail system can be linked to its human resources database through the metaverse. Each employee’s attributes from the e-mail system and the human resources database are imported into the connector space through management agents. The e-mail system can then link to individual attributes from the employee entry, such as the employee telephone number. If an employee’s telephone number changes, the new telephone number will automatically be propagated to the e-mail system.

When it comes to loging on in the first place, like I said, passwords are basicly useless in my eyes.. i have seen many kind of password security basicly made useless by human nature, and the associated lack of interest in security, or an understanding of why it is nessesary.

Two or Three factor authentication scemes are the way to go of course, like our dear friend Bill says, but this technology is by no means new. Here is a copy-paste from the Server 2000 resource kit:

Windows 2000 supports logging on with a smart card for the network logon process by using extensions to the Kerberos v5 protocol. For logging on to a network, users usually press CTRL+ALT+DEL to initiate the Windows 2000 secure logon sequence. When the smart card logon process is enabled, a user inserts the smart card to initiate the Windows 2000 secure logon sequence. The user is then prompted to enter the PIN for the smart card. If the user’s PIN and smart card credentials are valid, the user is logged on and granted rights and permissions for the user account.

When an administrator enrolls for a smart card logon certificate on behalf of the user, Windows 2000 automatically maps the smart card certificate to the user’s account in Active Directory. Therefore, smart card certificates for logging on to the network must be issued by a trusted enterprise CA.

If you deploy smart cards for logging on to the network in a domain and allow some users to log on without smart cards (for example, with CTRL+ALT+DEL for Windows 2000–based clients or with NTLM for clients based on Microsoft® Windows® 98 and Microsoft® Windows NT®), the security of the network becomes only as good as the weakest password in the system. For maximum network logon security, deploy Windows 2000 and smart cards for all users and require that smart cards be used for logging on to all computers in your domains, including logging on from a remote location.

In every single way, smart cards are better. They are far more user friendly than having to come up with strong passwords every other month, and they are of course more secure.. because of the two-factor method of authentication.. something you have: Your smart card (with a digital certificate on it), and something you know: Your pincode.  Without both of these coming together at the right time, you cannot log in.

Combine this with the optional, but encouraged third factor, something you are: Retinal scan, fingerprint, face scan, etc, and you can now start talking about security seriously.

Of course… if the local admin password on, for example, your SQL server is weak, the whole excersise is probably for nought.