[Clips] Escaping Password Purgatory
R.A. Hettinga
rah at shipwright.com
Wed Aug 3 15:28:34 EDT 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Wed, 3 Aug 2005 15:27:20 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Escaping Password Purgatory
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://www.forbes.com/2005/08/03/usps-password-casestudy-cx_de_0803password_print.html>
Forbes
Computer Hardware Software
Escaping Password Purgatory
David M. Ewalt, 08.03.05, 3:00 PM ET
There's a story in the biblical Book of Judges about two warring Semitic
tribes, the Ephraimites and the Gileadites. In the wake of a great battle,
the Gileadites set up a blockade to catch escaping enemies and asked anyone
passing by to pronounce the word "shibboleth." The Ephraimites couldn't
wrap their tongues around the password and were thus exposed, captured and
put to the sword.
As far as we know, nobody's ever been executed for typing the wrong
password to their e-mail account. But it's likely there have been a few IT
guys who've considered that option. Managing forgotten passwords is a huge
problem for IT departments, often consuming massive amounts of worker time
and company money. But software that gives users just a single sign on
could save the day.
Keeping track of passwords might not have been a big deal when you only had
to remember one or two of them. But increasingly, users are saddled with so
many shibboleths that they can't keep track. "I think I have passwords for
over 47 different applications both internal and external that I access,
and I've acquired those IDs and passwords over several years," says Wayne
Grimes, manager of customer care operations for the U.S. Postal Service.
Three years ago, the USPS was getting pounded by the password problem. "Our
help desk was getting overwhelmed with password reset requests," says
Grimes. The service has about 235,000 users who access more than 700
internal applications, each of which requires a separate ID and password.
That meant that some users were forced to keep track of dozens of different
accounts. Strict security measures at the Postal Service required regular
password changes and forced users to select nonobvious passwords, which are
harder to remember.
Before long, users were lost in a sea of their own passwords, and
inevitably they'd lose track of them. Once that happened, they'd call the
help desk, to the tune of 30,000 calls per month for password resets.
That kind of call volume can weigh down any IT department, but the USPS had
another problem to deal with. Since it outsources its help desk, each and
every call to the service provider incurred a charge, and before long
password-reset costs ballooned to millions of dollars. And all the while,
user productivity suffered since people couldn't access applications until
their passwords were reset.
It's a problem across all industries. According to Forrester Research, up
to 30% of all help-desk calls are password-reset requests.
To cut down on those costs, the USPS created a self-service Web site and
set up a phone line with voice-recognition software, either one of which
lets users reset passwords on their own. But that didn't cut down on the
number of passwords users had to keep track of, nor did it reduce the total
number of reset requests.
So the USPS deployed v-GO password-management software from Passlogix. The
first time users log into the system, they give the v-GO software all of
the individual log-ins they want managed. After that, they can forget
them-all those different passwords are safely stored in an encrypted file
on the user's computer. From then on, any time the user clicks on a Web
site, program or database that requires its own user ID and password, the
software issues the proper credentials, all in the background, without the
user having to lift a finger or remember a word. It will even handle
regularly scheduled password changes, automatically updating account
details.
That means users only need to remember one master password, which they're
not likely to forget. "V-GO really helps the end user manage their IDs and
passwords for all the different applications that they need access to,"
says Grimes. "Personally, I don't know how I could live without it." After
the changes were made, the number of password reset calls to the USPS help
desk dropped from 30,000 per month to under 5,000.
Critics of single-sign-on software-which is developed by companies ranging
from startup Passlogix to giants like Sun Microsystems (nasdaq: SUNW - news
- people ), Verisign (nasdaq: VRSN - news - people ) and Computer
Associates (nyse: CA - news - people )-say that they're less secure. If
anyone gets a hold of your master login, they can access countless other
accounts. But if users only have one password to keep secret, they're
likely to choose something much harder to hack (an obscure mix of letters
and numbers, for example), and to keep it a better secret.
"One password is much more secure than having 50 different IDs and
passwords," says Grimes. "I've been doing computer security since 1979, and
I've seen way too many IDs and passwords on sticky notes stuck to
computers. That's much more easily compromised."
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list