Forrester report declares passwords insecure and notes sky is blue

The foundation for security and enterprise management

In what should come as no surprise to most of you, a Forrester study from December concluded that "... most companies continue to rely on the traditional username and password sign-on to verify a user's identity." And that "... those organizations are unnecessarily leaving themselves open to unauthorized access by hackers and e-criminals."

You can download the report, after registering, from the Verisign Web site (now part of Symantec, who commissioned the report).

Among the conclusions reached that are of interest to us are:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In what should come as no surprise to most of you, a Forrester study from December concluded that "... most companies continue to rely on the traditional username and password sign-on to verify a user's identity." And that "... those organizations are unnecessarily leaving themselves open to unauthorized access by hackers and e-criminals."

You can download the report, after registering, from the Verisign Web site (now part of Symantec, who commissioned the report).

Among the conclusions reached that are of interest to us are:

• Malware attacks are employing password vulnerability in enterprises. Hackers are moving from conspicuous attacks like malware and phishing to more insidious attacks using stolen passwords to penetrate an organization and go undetected.

• Password issues are the top access problem in the enterprise. To prevent unauthorized access, password policies have grown more cumbersome and error-prone. Such factors as password composition requirements, duration before password expiration, and multiple passwords to access corporate resources have inundated users. Additionally, 87% of users are expected to remember two or more passwords to access corporate resources. Meanwhile, password reset is the most common help desk call, in many companies accounting for between 30% and 50% of all help desk calls.

• Strong, or two-factor, authentication technology is more convenient and cost effective than ever before thanks to the cloud-based model. Strong authentication is difficult for hackers to fool because it requires users to provide two simultaneous but independent methods of authentication: something they know (their password) and something they have (a one-time security code generated by a strong authentication credential). Unlike early-generation, on-premise solutions, today's strong authentication offerings are far more cost effective due to technology advances like cloud-based authentication and use of mobile phones to generate one-time passwords.

• Lack of strong authentication between enterprises and partners leave corporate networks vulnerable. A full 67% of companies do not require strong authentication from their partners to access corporate networks. The lack of strong authentication reduces security within an enterprise and creates a weak link when accessing the network.

Among the recommendations of the study:

• Move toward implementing strong authentication now, and throughout the enterprise -- not just for select applications.

• Ensure that open enterprise initiatives like SaaS access and partner access are protected at the same level as inside the organization.

• Reassess strong authentication technologies to understand how today's solutions, with mobile device apps that serve as low- or no-cost credentials, fit within the security environment and budget. The cloud-based model drastically reduces the cost of ownership while it increases adoption.

• Align strong authentication with the open enterprise landscapes, shoring up protections across cloud computing, SaaS, collaboration tools and mobile access initiatives.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.