Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Promotional Pens
Computer Hardware
Logo Design
Shop Online
Build a Server Rack
KVM over IP
Career Education
Condos For Sale
Promote Your Website
Data Center Solutions
Phone Cards
Best Price

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Protect Your Passwords -- Part 2

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles
Protect Your Passwords -- Part 1
Hello 'Certified Server,' Goodbye Spam
Getting the Most Out of Firefox
Should You Disable Windows Scripting Host?
Can Patch-Management Companies Survive?
Vote and Get A Free CoffeeCup
Why Can't Microsoft Catch Its Own Bugs?
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
e-SoftEasy Business Analytics - Create Reports/Charts From Databases
Mazu Profiler - Network Behavioral Analysis Engine Provides System Baselining and Alerting
GridVision Enterprise - Enables the Deployment and Management of InfiniBand-Based Grids
ReadyNAS - NAS Boxes And Rack Units for SMBs
Acronis Recovery - Wizard Driven Backup and Recovery for Databases

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Meet the HP ProLiant DL385 G5

Protect Your Passwords -- Part 2
December 21, 2004
By Brian Livingston

Brian Livingston We know how to make the Internet secure. Now the question is, "Will we do it?"

I wrote in this space last week about "Pass2Go," a piece of software that resides on a key-sized USB Flash drive. The device stores all of the username/password combinations that log you into the various Web sites and secure servers you use. When you remove the drive from the USB port, your passwords are no longer available to anyone else who may use that computer.

This is better than storing your passwords within Microsoft's Internet Explorer browser (whose password encryption was cracked long ago) or the Mozilla Foundation's Firefox (which stores passwords in an ordinary file unless you set up a "master password").

But Pass2Go -- or any device that relies on passwords -- is insufficient to allow you to safely log on to your accounts when you're away from your desk. The answer to the problem is here, today. But will people use it?

The Problem With Passwords

To be sure, storing your passwords in a removable device using Pass2Go is preferable to writing them on sticky notes and gluing them to your monitor. The problem isn't how you remember your passwords, but the fact that you have to use them at all.

Using A Nonsecure PC On A Nonsecure Network. If you use a PC at an Internet café, a library, a college, or any other public location, you have no easy way to guarantee that that machine isn't infected with a Trojan-horse program. Such a program could be watching for passwords and sending the information to a hacker at a remote location or a dishonest employee of the shared-PC service.

Opening The Veil. The username/password combinations that are stored by Pass2Go are, it's true, unreadable when you insert your Flash drive into a USB slot. But as soon as you type your "master password," any Trojan horse on the Internet café's machine can copy the information by monitoring the keyboard. The Trojan can also capture the screen to learn what information may be displayed.

The Savvier They Come, The Harder They Fall. A variety of companies have invented USB Flash drives that can be configured to require a registered user's fingerprint before releasing any username/password combinations to a browser login form. One such product is the Lexar JumpDrive TouchGuard, a $70, 256 MB drive. Your fingerprint makes a very good "master password." But a Trojan horse on an Internet café PC can still monitor your keystrokes and capture the screen as soon as your finger has opened the passwords on your Flash drive.

Carrying your passwords around in a Flash drive isn't a secure way for you to use public-access PCs to log in to your accounts. Passwords themselves are the problem. The solution is at hand, and it may free us from having to remember passwords at all.

Two-Factor and Challenge/Response Authentication

What's better than strong passwords? The answer lies in two-factor authentication and challenge/response authentication. These are big words for some simple concepts:

Two-Factor Authentication relies upon "something you have" and "something you know." The most successful example is bank cards and PINs (personal identification numbers). A thief might steal your bank card, but it's unlikely that he'd guess your PIN before the card was swallowed up by a cash machine after three incorrect tries.

Challenge/Response Authentication. Bank cards are merely a piece of plastic with a magnetized strip that contains your account information. But USB Flash drives (and similar technologies, including "smart cards") can do much more than just store bytes. They're also capable of carrying and using digital certificates. A secure server can issue a digital "challenge" that only a smart device can correctly respond to.

I've been calling devices such as these "USB keys," because they make it as easy for you to log in to a secure server as it is to start your car with a car key.

U.S. Bancorp Signs Up For USB Keys

Verisign Authentication Tokens Verisign Inc. is one of several companies that are beginning to sell USB keys, technically known as secure authentication tokens, to banks and other enterprises.

Verisign recently announced that U.S. Bancorp, the sixth-largest U.S. financial services holding company, would start giving secure USB tokens to its commercial banking customers. In my opinion, this is the first step toward all financial institutions requiring two-factor authentication for any online customer communication.

The company's Unified Authentication USB Token, shown at the bottom of the photo to the left, can hold up to seven digital certificates, according to Mark Griffiths, vice president of security services for Verisign.

The Multipurpose Next-Generation Token, shown at the top of the photo, also displays a 6-digit number when the user pushes a button. The number is one of a series that a secure server will accept as a valid password, in combination with a user's 4-digit PIN.

One-Time Passwords And Multiple-Use USB Keys

For many business applications, such as remote access to e-mail, a one-time password is sufficient security to let an end user log in from an Internet café. Even if a Trojan horse is monitoring all of a PC's keystrokes and capturing everything on the screen, a hacker wouldn't be able to use the discovered password, since it would work only once.

For more sensitive applications -- such as online banking -- the challenge/response capabilities of USB keys provide much better security. No Trojan-horse program could understand the long digital strings that make up a secure challenge, much less formulate the exact arrangement of bytes that would make up the calculated answer.

A hacked public terminal might still be able to capture the text of your e-mails, your bank balance, or whatever else you display on the screen. But it would be impossible for the hacker to log in to your e-mail account and send e-mails under your name -- or log in to your bank account and send all of your money to Russia.


Verisign's Griffiths says a rollout of secure tokens -- including the use of Verisign's 24/7 back-end server that can lock out lost and stolen Flash drives -- will cost a company only $25 to $35 per year per user for 5,000 users. That sounds to me like a bargain, if it eliminates the use of passwords and any eavesdropping on them by hackers.

Unfortunately, there's no program at the current time that allows an individual consumer to purchase a USB Key and then demand that his or her bank start supporting it as a form of identification.

Until that day comes, I recommend against using a public terminal to log in to your e-mail account without one-time passwords -- and against logging in to your online bank account without full challenge/response authentication.

Wait, you might say. If this catches on, what will keep consumers and corporate travelers from having to carry around a fistful of different USB keys to log in to different servers?

A standard is on the way that will allow a single key to work on all servers. That'll be the subject of my next column on Jan. 11, 2005, after the holiday break.

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live