[Clips] Escaping Password Purgatory

R.A. Hettinga rah at shipwright.com
Wed Aug 3 15:28:34 EDT 2005 

--- begin forwarded text


 Delivered-To: clips at philodox.com
 Date: Wed, 3 Aug 2005 15:27:20 -0400
 To: Philodox Clips List <clips at philodox.com>
 From: "R.A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] Escaping Password Purgatory
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com

 <http://www.forbes.com/2005/08/03/usps-password-casestudy-cx_de_0803password_print.html>

 Forbes


 Computer Hardware Software
 Escaping Password Purgatory
 David M. Ewalt,  08.03.05, 3:00 PM ET

 There's a story in the biblical Book of Judges about two warring Semitic
 tribes, the Ephraimites and the Gileadites. In the wake of a great battle,
 the Gileadites set up a blockade to catch escaping enemies and asked anyone
 passing by to pronounce the word "shibboleth." The Ephraimites couldn't
 wrap their tongues around the password and were thus exposed, captured and
 put to the sword.

 As far as we know, nobody's ever been executed for typing the wrong
 password to their e-mail account. But it's likely there have been a few IT
 guys who've considered that option. Managing forgotten passwords is a huge
 problem for IT departments, often consuming massive amounts of worker time
 and company money. But software that gives users just a single sign on
 could save the day.

 Keeping track of passwords might not have been a big deal when you only had
 to remember one or two of them. But increasingly, users are saddled with so
 many shibboleths that they can't keep track. "I think I have passwords for
 over 47 different applications both internal and external that I access,
 and I've acquired those IDs and passwords over several years," says Wayne
 Grimes, manager of customer care operations for the U.S. Postal Service.

 Three years ago, the USPS was getting pounded by the password problem. "Our
 help desk was getting overwhelmed with password reset requests," says
 Grimes. The service has about 235,000 users who access more than 700
 internal applications, each of which requires a separate ID and password.
 That meant that some users were forced to keep track of dozens of different
 accounts. Strict security measures at the Postal Service required regular
 password changes and forced users to select nonobvious passwords, which are
 harder to remember.

 Before long, users were lost in a sea of their own passwords, and
 inevitably they'd lose track of them. Once that happened, they'd call the
 help desk, to the tune of 30,000 calls per month for password resets.

 That kind of call volume can weigh down any IT department, but the USPS had
 another problem to deal with. Since it outsources its help desk, each and
 every call to the service provider incurred a charge, and before long
 password-reset costs ballooned to millions of dollars. And all the while,
 user productivity suffered since people couldn't access applications until
 their passwords were reset.

 It's a problem across all industries. According to Forrester Research, up
 to 30% of all help-desk calls are password-reset requests.

 To cut down on those costs, the USPS created a self-service Web site and
 set up a phone line with voice-recognition software, either one of which
 lets users reset passwords on their own. But that didn't cut down on the
 number of passwords users had to keep track of, nor did it reduce the total
 number of reset requests.

 So the USPS deployed v-GO password-management software from Passlogix. The
 first time users log into the system, they give the v-GO software all of
 the individual log-ins they want managed. After that, they can forget
 them-all those different passwords are safely stored in an encrypted file
 on the user's computer. From then on, any time the user clicks on a Web
 site, program or database that requires its own user ID and password, the
 software issues the proper credentials, all in the background, without the
 user having to lift a finger or remember a word. It will even handle
 regularly scheduled password changes, automatically updating account
 details.

 That means users only need to remember one master password, which they're
 not likely to forget. "V-GO really helps the end user manage their IDs and
 passwords for all the different applications that they need access to,"
 says Grimes. "Personally, I don't know how I could live without it." After
 the changes were made, the number of password reset calls to the USPS help
 desk dropped from 30,000 per month to under 5,000.

 Critics of single-sign-on software-which is developed by companies ranging
 from startup Passlogix to giants like Sun Microsystems (nasdaq: SUNW - news
 - people ), Verisign (nasdaq: VRSN - news  - people ) and Computer
 Associates (nyse: CA - news  - people )-say that they're less secure. If
 anyone gets a hold of your master login, they can access countless other
 accounts. But if users only have one password to keep secret, they're
 likely to choose something much harder to hack (an obscure mix of letters
 and numbers, for example), and to keep it a better secret.

 "One password is much more secure than having 50 different IDs and
 passwords," says Grimes. "I've been doing computer security since 1979, and
 I've seen way too many IDs and passwords on sticky notes stuck to
 computers. That's much more easily compromised."

 --
 -----------------
 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 _______________________________________________
 Clips mailing list
 Clips at philodox.com
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list