Bill Gates: the era of passwords is over

Ripped off passwords

Cryptas, Wien, 9.7. 2004

In the year 2003 was the first year where viruses and worms with keylogging functions reach epidemic dimension. These malicious code monitors all inputs on a keyboard and is getting information about passwords and PIN. The methods are getting more and more sophisticated and are targeting banking passwords now.

Additional to this threat to passwords by virus/worms/trojans social attacks getting more and more frequent. Phishing (Password Fishing) E-Mails sham authorities and request the input of passwords, credit card numbers, etc. Sophisticated versions counterfeit whole websites, showing the "right" URL (URL-Vulnerabilities) let the victim imagine to be safe, or bugs of the Same Origin Policy of the Browser are used, where to get access to inserted fields on original sites.

Find a remedy!

Countermeasures against social attacks are education and security awareness training or the elimination of passwords, next to the duty of firewall, virus scanner and being on an up to date patch level.

Some banks offer virtual keyboards, where password entry can be done by mouse - which is mitigating the risk, as well as password programs, which store the passwords and making them more manageable. But storing on a hard disk is nevertheless risky - password encryptions can be sniffed. De facto security can only be done by multi factor authentication.

Authentication with PKI and SmartCards is the neatest solution - but also the combination of password-based solutions with smart cards is a remedy. Safenet Axis is storing the password for different logins on the smart card, protected ba a pin.

Linktipps

	Scob and others - Article in austrian online newspaper "der Standard" (german)
	Passwords vs. OTP vs. PKI - Cryptoshop Knowledge Base
	Password protection and quality - Cryptoshop Knowledge Base
	Safenet Axis

In case of doubt the management is liable A security study of Silicon.de show that IT security measures are still inapropriate.

Using chipcards in companies Company cards with digital signature offers more security and allow access to many applications. The austrian commerce chamber is equipping its staff with signature chipcards of a.trust. Till end of november 2004 were the first 800 cards enrolled.

Industrial espionage threatens Austria Industrial espionage is threatening not only single companies, but also the credit rating of whole business location of Austria, said a member of the office for the protection of the constitution.

Windows Server 2003 is ISIS-MTT certified Microsoft Windows Server 2003 is vested with ISIS-MTT-Seal. This is a initative of the german ministry of economics and labour for a mandatory standard for signatures, secure e-mail and secure document handling compliant to the requirements of eGovernment-applications.

MS Security Expert wants to note passwords Jesper Johansson of Microsoft means, that passwords should be written down, because forbidding results in weak passwords.

Bill Gates: the era of passwords is over Bill Gates recognizes that the future of authentication are smart cards. With Cryptoshop.com smart card authentication becomes reality in your company...

Ripped off passwords More and more virus/worms/trojans have keylogging functionality. They intercept the keyboard interface and log all inputs - bad for passwords. Remedy can be attained by multi-factor-authentication.