To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158918,00.htm

Password Hell (Part 1): The IT chief's nightmare
Is password management really such an impossible dream?

By Will Sturgeon

Published: Tuesday 16 May 2006

The perennial problem of password management is still proving a major headache for end users and the problems are only getting more complex - especially as companies start to weigh up the pros and cons of updating systems to work with newer forms of authentication.

Phil Young, head of IT operations, Amtrak Express Parcels, told silicon.com password management remains a "nightmare" issue for many businesses.

And he said it's "a very big issue and becoming bigger by the year", branding human-error activities such as writing down passwords as "a recipe for disaster".

John Odell, group IT director at BBA Group, said a lot of time and money is still being wasted by businesses responding to end user problems, such as having to reset passwords.

He said: "This can be a big, expensive distraction from more productive work."

But it's also a major balancing act between ease of use, security and acceptable risk which must be overcome.

Odell said: "It's firstly a case of education and training. Fifteen or 20 minutes spent explaining to users password risks and how to deal with them sensibly, with regular reinforcement, would solve most of the basic problems. But how many organisations take the time? Firmer discipline would underline the message."

Many companies have automated the process of ensuring passwords are set and reset in line with best practice but this is still far from ideal.

Odell said: "Technology can help but it won't overcome all problems or the need for watchfulness." Not least of all because passwords can still be borrowed or stolen, especially when written down.

Les Boggia, head of IT at Carole Nash Insurance, told silicon.com part of this problem stems from users needing too many passwords for them to reasonably be expected to remember.

"Human error is a major part of password issues, however, with many disparate and a mix of legacy and new systems individuals can't be wholly blamed for needing to write down IDs and passwords to things they do not use very often."

Paul Broome, IT director at 192.com, said: "All of us at some time have shared a password when we have had an issue at work that needs urgent resolution. Keeping secrets really is not a good human quality, neither is remembering daft sequences of characters and numerals."

He added: "Put together it's a wonder that more systems have not been cracked."

Broome said biometrics would get his vote as "the least worse way to go" but he warned it is still a tall order.

Odell said he is unconvinced about biometrics and expressed concerns that over-reliance on biometrics could expose users to even greater risks if the system is cracked.

However, Amtrak's Young said he is an advocate of biometrics.

He told silicon.com: "In my opinion, the only effective solution to this is the use of biometrics.

"This sort of technology takes away the need for system users to remember passwords and would also result in more secure systems and free up time for support people."

Read Password Hell (Part 2).