Password policies still too lax in most large companies
January 17, 2011
According to a new Symantec study, on average, more than 66 percent of large North American organizations still have not implemented two-factor password authentication policies for the partners and contractors that access their corporate networks.
The report, which polled 306 large enterprises was conducted by Forrester Research on behalf of Symantec. The respondents included companies from both Canada and the United States, with all of the companies employing at least a thousand people or more, and 30 percent of the organizations comprising more than 5,000 people.
In addition to the lack of strong password authentication for business partners, distributors and contract workers, Symantec found that about 87.2 per cent of companies expected their users to remember two or more passwords to access corporate resources.
"More than 64.7 percent of companies had at least six different password policies in place," said Atri Chatterjee, vice-president of user authentication at Symantec. He added that up to half of all IT help desk calls deal with password reset issues.
With more enterprise employees using their own devices to log into the corporate network, Symantec said the importance of access security has reached par with other areas such as firewall and network security. Most companies are dealing with this critical issue, Chatterjee said, by creating large and cumbersome password policies, which isn't always the best solution, he added.
Symantec said the move to two-factor authentication technologies, which forces employees to use a password in conjunction with a software or hardware token, is the most effective way to provide strong access control.
But while two-factor authentication is being used at the majority of large enterprises throughout North America, Chatterjee added that the technology is only used on a very limited basis.
“They roll it out to the finance department or senior management only,” he said, adding that large gaps in two-factor authentication deployment means organizations are only as strong as their “weakest link.”
“Overall, the reaction has been to make password policies a lot more complex, but it has resulted in more difficulties for users, and that is when many of them start cutting corners, which is often the begining of many security issues” he added.
To help businesses, Symantec says it now offers two-factor authentication as a service that can run in the cloud. It also said it can roll out software tokens to all major smartphone brands as well.
Symantec’s new report comes just a few weeks after EMC Corp. released its RSA SecureID Software Token for Android, which allows users to authenticate themselves on business apps using their Android-based smartphones.
For example, when enterprise users are ready to log in to the corporate ERP system from their laptop, they can generate a one-time software token with their Android app that will enable them access. The passwords only last for 60 seconds and are rolled out via RSA’s traditional Authentic Manager software.
Rachael Stockton, manager of product marketing at RSA, said this functionality was highly demanded by existing RSA customers as the growth of Android in the enterprise world continues at a rapid pace. She added that the ubiquity of the smartphone in general makes it a perfect fit to host a software authentication token.
“For the most part, people usually don’t forget their smartphones, so it lowers the support calls,” Stockton added.
You can link to the Internet Security web site as much as you like.