Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Password Overprotected

A saintly solution to passwords would be welcome.

"Will somebody rid me of this cursed priest?" I know exactly how Henry II felt. I feel the same way about passwords. Now I'm not advocating the solution is to emulate Henry and encourage the murder of the Archbishop of Canterbury. However, I do think that it is about time, after 50 years, an industry that professes to embrace research and innovation devised something a bit more elegant than passwords to control access rights to IT systems.

Recently ASIC sent me an e-mail informing me that some new correspondence had been delivered to my company account on the ASIC Web site. Alarm bells rang in my head. ASIC is, after all, a corporate regulator. Had I overlooked something? Did I need to submit new information? Was there a bill to pay? I rushed to log in to their Web site. Then it hit me. What was my ASIC account number and password? It has probably been four years since I last needed to access my ASIC account correspondence file. I'm not Steve Vizard. It's not like we talk on a regular basis.

Was this a password that was all numbers or was an alphanumeric required? Had I been able to customize it and if so which of my family, pets or football teams had I selected? Was it four digits, six or even eight? At the back of my mind was the knowledge that I would probably have three strikes and then be out. How would ASIC respond to what they might perceive as a security breach? Would the "feds" be hot on my tail? Crikey! Crikey.com might even get involved.

For some time I've been aware in my discussions with CIOs of a broad recognition that something needs to be done about the password problem. I have heard of a myriad of potential panaceas to the problem. These include single sign-on; biometrics technology and the use of tokens, certificates or smart cards. Yet the reality is that despite a lot of talk nothing seems particularly advanced, particularly as far as the general consumer goes.

My first thought was that biometrics technology, like fingerprint or iris scans, would be foolproof, as it relies on characteristics unique to an individual. Then an IS security manager at a bank put me in the picture. Iris or finger- print scans only digitize a body characteristic. In the end the computer only wants the digitized data - not the iris or fingerprint image. As such, why is that any better than typing the password in the first place, especially since a bleary eye or a sweaty finger might distort the body scan.

Then I thought that single sign-on seemed the answer. However, another person asked how would I feel if all the keys to my house, my car and my office were the same. Wouldn't I worry about the repercussions if one of those keys were lost? I know of a number of IS executives, in legal firms especially, who speak highly of tokens and certificates. However, I do get the impression that these are somewhat cumbersome and not really suitable for the mass market.

I'm still waiting to discover what the best solution will be. However, I do know what happened to Thomas a Beckett after the henchman of Henry II murdered him. He was canonized. Pilgrims flocked to Canterbury just to see his tomb. Perhaps that might be the fate of the individual who eventually helps this industry by coming up with an effective answer to securing user access to a multitude of personal applications.

Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ASIC, HIS Limited, IRIS

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Magic Quadrant for Managed Print Services, Worldwide
    Gartner's managed print services (MPS) Magic Quadrant is a useful starting point for identifying and evaluating MPS providers. It is intended for Gartner's client base of mainly midsize and large organisations, many of which operate throughout two or more regions, and some of which are truly global. Although not all MPS projects are multiregional or global at the outset, customers often choose to scale up one region at a time. In this way, they can manage their office printing in a unified manner globally. Read more.
    Learn more »
  • Becoming a Social Business
    As global business accelerates ever faster and companies work to quickly respond to customer demands, competitive threats and rapidly evolving trends, the richness and efficiency of social collaboration plays a key role in enabling future success. The challenge then is finding the best approach. Read on.
    Learn more »
  • Seven Ways Business Activity Monitoring (BAM) Makes Your Supply Chain More Efficient
    webMethods Optimize for B2B offers a set of technology capabilities commonly described as Business Activity Monitoring (BAM). To appreciate the value of Optimize and how it operates in conjunction with webMethods Trading Networks, it is helpful to understand the basic concepts behind BAM and how the technology is applied in a business setting. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments