In most enterprises, the use of passwords is the primary means of authenticating a user. Unfortunately, it is also the weakest form of authentication. In today's digital world, the ways to bypass this form of security are trivial. While many enterprises focus on strengthening passwords, these efforts are by and large meaningless in the face of the tools that attackers can use. The tools provide criminals with easy ability to hack, trap, or crack most passwords easily. The first attack tool against password authentication is a hardware keyboard logger. Legally available online for $40, these devices plug into the connection between the keyboard and the computer. They record every keystroke, with some models able to do time and date stamps against the data. A hardware keyboard logger looks like a small hardware piece of computer connections, takes only 10 seconds to install and is not detectable by any means of commercially available software. Organized crime uses hardware keyboard loggers frequently. In 2005 a group of criminals out of Israel hired some janitors in the UK to place these devices on the computers in a bank. The soon captured the password authentication for key bank officials. They were only caught when they were in the process of transferring $250 million pounds to their bank account. High school students use these too. Last year in the US there were several reported cases where students had used hardware keyboard loggers to obtain their teachers and administrators' password authentication. They were only caught after selling exam papers and in one instance, having changed final marks over two years to enable students to get into university. The use of password authentication is further weakened by software attacks. This year alone, it is estimated that there will be several thousand different malware password logging attack programs will be created. Some of these are very sophisticated and can be ordered by the internet to attack certain types of firewalls. These password authentication logging software programs are embedded in email that are activated by clicking on the links in the email or by visiting a fake site that looks like the normal commercial site (phishing attack). Today, authorities believe that there are betwen 20-40 million infected computers in the United States alone. Some of the password authentication attacks are so sophisticated that there embed themselves on the core root operating systems kernel (rootkit attacks). Rootkit attacks are now acknowledged by Microsoft to be so insidious that the only way to remove them is to re-image every computer on the infected enterprise network! Large commercial organized crime web gangs have developed keyboard logging software such that it will recognize the user's bank id and authentication passwords you enter when you logon to your bank's website to conduct a transaction. The id and password information is then sent within seconds to the organized crime servers somewhere in the world. They are then auctioned off, via the internet, to other organized criminals. The use of the id and password is then quickly used to begin emptying your bank account.
Finally, the use of passwords to protect Word, Excel, Outlook, Adobe and other types of documents can also be very easily broken. There are a number of legally free online services that provide decryption services in less than three minutes for most types of document encryption for $29 per document. If this won't work, then you can spend $40-150 and download good decryption methods. This includes dictionary attacks, in multiple languages that can try to decrypt the document at over 75 million passwords per minute. Most low level password encryption schemes can be broken in 24-76 hours. I hope that this point in the article that I have scared you enough to realize that protecting your enterprise's most sensitive high risk information and/or applications via passwords as the prime authentication method is foolish. The password attack methods (hardware, software and social engineering) mean that your enterprise applications are highly vulnerable to attack when using passwords. Does this mean that passwords shouldn't be used in your enterprise? No. The use of passwords can be used in a layered identity defense strategy. What this means is that your enterprise will allow the use of user id and password to gain general access to low risk enterprise applications and information e.g. the enterprise portal. However, when the user tries to access applications or information that is higher risk, the enterprise single sign on system will require stronger authentication. This may include the use of security tokens, digital certificates, biometrics, smartcards or combinations thereof in addition to the password.