Password Hell (Part 2): Companies must get it right... now

Failure to properly instil a culture of effective password management in a company could land its directors in jail, while wading through alternatives to "fatally flawed" passwords is a process mired in "fear, uncertainty and doubt" according to experts on all sides of the debate.

The only given is that the need to get it right is now more pressing than ever, according to one top lawyer.

David Naylor, partner at law firm Field Fisher Waterhouse, said companies need to ensure they have strict policies in place regarding password management and said best practice would be to incorporate these as requirements in the company's contractual arrangements with employees and third-parties with access to the company systems.

Naylor said: "Companies should make certain that employees and contractors are aware of the importance of maintaining systems security and the need to keep usernames and passwords secure and confidential.

"If a company does not ensure security of its systems, any failure to maintain personal data securely may constitute an offence under the Data Protection Act 1998, opening the company to potential regulatory intervention and fines, and possibly civil and criminal liability."

In addition to the legal risks, security breaches can lead to plenty of equally serious business and reputational damage.

However, Jay Heiser, research VP at Gartner, believes passwords have had their day and urges companies to look at different solutions rather than strive for better ways to manage them.

Heiser said: "Passwords are fatally flawed and there is no level of password management that can significantly improve the level of access control rigour that they can provide. They are just not suitable for protecting sensitive information that is of interest to motivated attackers."

Heiser blames the problem on "unrealistic expectations" of what a password can achieve.

He said: "Naïve security administrators continue to believe that password-based security can be significantly improved by forcing complexity and by frequent forced password changes. In practice, this just encourages users to write down their passwords, which significantly increases the risk that the passwords will be misused by someone else."

He urged companies to "develop an authentication strategy that looks beyond the use of passwords as the mechanism for the primary authentication to the security domain".

Simon Perry, VP security strategy at CA, agreed that increased complexity only encourages employees to write down passwords or otherwise jeopardise security by seeking shortcuts to remembering them, such as using repeat characters or only slightly changing each iteration of a password.

But with a raft of password alternatives, from biometrics to single-use passwords or PINs, the marketplace is awash with "fear, uncertainty and doubt", according to Perry.

Instead, the first step should be for companies to understand what they need and to establish an idea of their own acceptable level of risk, said Perry. For some, proper password management may be an option, though he conceded even these companies must work on striking a better balance between what is manageable and what is secure enough.

Gartner's Heiser said: "While there will always be niche applications in which passwords are good enough, increasingly they are not good enough for local access to the network, let alone remote access."

Although many companies are now adopting alternatives, CA's Perry said he doesn't expect to see major changes in the use of username and password until at least five years down the line, saying it will be hardware replacement cycles that will enable much of the change, with PC manufacturers "still more likely to include a 3.5 inch floppy drive than a smartcard or biometric reader".

Perry said: "In five years from now you will find a lot of companies - mainly SMEs - who will still be doing username and password." Many larger organisations, however, will have moved to other forms of authentication such as biometrics, he believes.

Earlier this year a panel of leading CIOs, exclusively polled by silicon.com, predicted that biometrics will be the long-term choice to replace username and password.