Real-world IT security challenges: Doing away with passwords

Today's column starts an ongoing periodic feature where I'll be covering various real-world scenarios I've come across in my professional consulting life. We're talking about real-world solutions for real-world security problems.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

When it comes to security enforcement, there appear to be two major types of companies that I run into regularly: Those who don't have a clue and seem bothered by even having to patch their systems, and those who routinely run their employees through retina scans and consider bomb-resistant shielding on the walls leading to the server room a necessary essential.

I was recently at one of the latter. This particular company is doing away with passwords all together because it considers passwords as one of the weakest links in their security armor. It has moved to RSA tokens for two-factor VPNs and fingerprint readers for local logons.

The company did a multiyear test into the best fingerprint readers, which I'll discuss in a future column. My fondest memory (besides watching all the ways you could fool a fingerprint reader, many of which are absolutely trivial), was looking at the boss's desk -- he had 15 USB fingerprint readers plugged into his desktop computer. It was a scene out of a Mike Meyers movie.

The company is trying to remove any instance where an employee would have to put in a password so that it can increase the password length to a far greater than normal maximum. In this particular case, it wanted the minimum password size to be 128 characters or greater. Yes, it understands that Windows logon passwords only go to 127 characters, but it is willing to patch the appropriate DLLs.

The thought is to make passwords so uncrackable and unguessable that they essentially become a crypto private key (although that would be a misnomer). With passwords at 128 characters, a password cracker obtaining one of the password hashes would be far more likely to have a hash collision -- which is just as good as the real password in a Windows environment -- than to crack the actual password.

However, the company's Outlook for Web Access server required an employee password for users to authenticate. There are many possible solutions, but the company wondered if it could leverage its current RSA and Citrix investments and do away with passwords altogether. Under this plan, employees would face a logon screen where they would enter their PIN and RSA token information and get authenticated. Behind the scenes, RSA and Citrix would accept the two-factor token authentication information and pass an extremely long Windows password to authenticate to the needed Windows resources.

It was an interesting proposal, so I called RSA and Citrix. Both companies replied back immediately, that, yes, this was possible. Both companies shipped us the necessary software to try it out in a lab environment, assigned us support engineers, and sent copious amounts of documentation. I was impressed with the number of "solution guides" covering all sorts of software combinations, including IIS and Citrix integration projects.