What IT can do now that user passwords aren't safe

Telling employees to not reuse passwords is an insufficient strategy. Here's what else you can do

The parade of revelations of passwords stolen from online services -- LinkedIn (where poor implementation meant nearly two-thirds could be descrypted), eHarmony, and Last.fm most recently -- has many workers and IT pros alike questioning the security of the cloud and the most prevalent way they have to secure access to accounts: passwords.

Following the leaks, LinkedIn and others stressed that people should not reuse their passwords, and they reiterated the standard advice to use complex passwords or passphrases. Unfortunately, users typically do only one or the other, but not both -- and frequently neither. The advice to not reuse passwords is even more important in the cloud, where user accounts are accessible from anywhere and the large databases of user credentials lure attackers to try to breach the systems.

Yet it's clear that as users have dozens of online services that require passwords, the "use a different complex password for each, and change them regularly" advice may not be something mere mortals can do -- at least, not unassisted. Here are the strategies IT should consider in a world where users' personal passwords can be stolen from their online providers, yet are probably also circulating at work.

1. Add a second factor

Using two-factor authentication makes it more difficult for attackers to gain a beachhead inside the company's network, even if they get the user's password from a popular website. Not only do attackers need to get the employee's password, they also need to get access to the token used as a second security measure or gain access to the person's device from which they connect to the corporate network.

Two-factor authentication is by no means foolproof, of course. The Zeus banking trojan and other attacks have successfully used man-in-the-browser techniques to get around the use of pseudo-random-number-generating tokens.

2. Give employees a password manager

Using a password vault, manager, or service to generate complex passwords and remember them is one of the only ways that an employee can actually handle unique and complex passwords for every account. By using a service or technology that allows a policy to be set, a company can push workers to do the right thing.

These technologies require that the user's system -- and password service -- be secure, so they move the focus to host-based security. Also, many such services don't work across all the devices users may use to access work systems. Be sure to check not just whether they support your in-house platforms (Windows XP, Vista, and/or 7, and perhaps iOS and BlackBerry) but those your users are likely to use when working from home or on the road, such as Mac OS X, iOS, Android, and later this year, Windows 8.

3. Use identity and access management

At the top end, identity and access management systems can help companies set rigorous policies and enforce them. Because they typically support authentication technologies like the Security Assertion Markup Language, actual passwords are not necessary for an increasing number of online services. The key is to set policies that make the authentication as secure as possible and educate users to never reuse their single-sign-on password in personal services. Combining identity and access management systems with two-factor authentication gives companies the best opportunity to strengthen the weakest link in their security chain: passwords.

This story, "What IT can do now that user passwords aren't safe," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.