A network question

When it comes to access, authentication and logon - are you still using simple passwords? You know, minimum six characters (or even four), case insensitive, no requirement for mixed alphanumerics or special characters.

As security expert Bruce Schneier said in this magazinein the spring: "Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember."

I'm bringing this up because Sun recently announced it would be donating its enterprise single sign-on (ESSO) technology to the open source movement.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When it comes to access, authentication and logon - are you still using simple passwords? You know, minimum six characters (or even four), case insensitive, no requirement for mixed alphanumerics or special characters.

As security expert Bruce Schneier said in this magazinein the spring: "Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember."

I'm bringing this up because Sun recently announced it would be donating its enterprise single sign-on (ESSO) technology to the open source movement.

The OpenSSO project, if it follows the trend of other major open source projects, should lead to very workable, easily implemented and very inexpensive ESSO. That means if you don't already have an ESSO project implemented or in planning, you'll soon be facing enormous pressure to do so.

ESSO is a tempting technology. We want to make passwords stronger by requiring longer strings of mixed-case letters and numerics with a special character or two thrown in.

But users who can't remember multiple simple passwords have no hope of remembering multiple complex passwords. Either they'll write them on notes that they tape to their monitor - or, here's a sneaky trick: on the underside of the desk blotter. (I wonder where their spare front door key is!)

A good ESSO package allows you to have a single password in order to access the resources and services on a network. Of course, if there's only one password needed to access all of a user's privileges, then it should be particularly strong. But strings such as Asdf2%Wssd43!!AZgf will not be remembered by users. So it's time to think about strong authentication based on one-time passwords, smart cards/proximity cards or even biometrics.

There have been major advances in these areas over the past few years, so recheck if you dismissed them as either too pricey or unworkable some time ago.

If you're into open source, then check first with the Initiative for Open Authentication (OATH). There is lots of information, pointers, protocols and specifications to get you started on the road to the strong authentication that will be necessary for your ESSO environment.

Tip of the week:

Some say OATH was started as a reaction to the grip that RSA Security has on the strong authentication market. It's true that RSA is the market leader, so don't ignore the many offerings it has in this area.

Kearns, a former network administrator, is a freelance writer and consultant in Silicon Valley. He can be reached at wired@quill.com.

Read more about security in Network World's Security section.