So, I paid attention when David Harding from BrowserPlus offered a couple months ago to let me beta-test a new "extension" to Internet Explorer, called Login Manager, which he claimed was a solution to the problem of maintaining strong passwords. The program does a lot: it provides a searchable bookmark capability, it can automatically populate Web forms and log you into a favorite site with a single click, and it can generate, remember, and manage strong passwords. This last point is goes to the heart of the "weak link" problem.
Login Manager turns typical password administration upside down. Instead of asking the user to generate or remember a strong password, the Login Manager can be configured to manage all passwords on behalf of the user. For the highest level of security, an organization’s security administrator can even hide passwords from the users themselves. Although hiding passwords from users might seem counter-intuitive, there are several attractive benefits to this approach:
- As Kevin Mitnick points out, the easiest way to steal a password is to ask the user for it. A significant number of users are vulnerable to "social engineering," where the password thief over the phone poses as someone with legitimate need for the password. But if users don't know their own passwords, they can't give them away.
- If employees don't know passwords, they can’t share them with friends or relatives. No more "sharing" of access to proprietary research sites, such as Gartner. More seriously, no more sharing of access to company intranets with outsiders, such as recruiters, or competitors.
- If employees don't know passwords, they can't take them when they leave the company. No more worry about terminated employees continuing to access employer Web accounts or extranets.
- Finally, in some departments (e.g. purchasing) it is necessary for several users to share a common "corporate account" and password (e.g. several buyers in Purchasing using a common account for an e-commerce site). But if the users don't actually know the password, it's no longer necessary to change it every time one of them leaves the company.
Because Login Manager operates as an extension to Internet Explorer, it won't administer passwords for legacy client-server or mainframe systems. Still, with more and more systems adopting a browser client, in some companies it could serve as an important element of a comprehensive security policy.
A 30 day free trial of the Login Manager (both home and professional editions) is available at the BrowserPlus web site.
No comments:
Post a Comment