Men's Wearhouse Has Better Security Than Your School
In the 1992 vice presidential debate,
Ross Perot's running mate, Admiral James Stockdale, introduced himself with
the words, "Who am I?" For the millions of viewers watching, that was a key
question because they had never heard of him or seen him before. His very difficult
task was to authenticate himself as a viable candidate to the voting public,
a task at which he was ultimately unsuccessful.
The task of authenticating oneself to a computer system is no less daunting.
In almost every case, colleges and universities use IDs and passwords. Because
passwords must be remembered, most people choose things they already know, such
as birth dates, pets' names, and Social Security numbers (SSNs).
Although these are easy to remember, they are also easy to guess or are widely
known. The problem is worsened by the fact that people need to authenticate
to many systems that do not communicate with each other. This results in people
needing to remember many different passwords and IDs.
In the spring of 2002, members of Princeton University's admissions office
were able to access the records of prospective Yale students by authenticating
to a Yale application with just a Social Security number and birth date. In
2001 and 2002 a business rival of Niku Corp., a small Silicon Valley software
company, used passwords that it is alleged were obtained illegally to download
more than 1,000 Niku documents, many of which were critical to Niku's competitive
survival.
Universities have responded to password threats by making passwords more difficult
to break. Users are no longer allowed to use their Social Security numbers.
Instead, they are forced to use passwords that obey complex rules that result
in passwords such as, "a2$4B!)e," which no one could ever remember but that
traditional password cracking programs have difficulty breaking. If an arcane
combination of eight characters d'esn't work, universities just require longer
passwords such as, "a2$4B!)e{@rucrazy."
Collections of these passwords are usually kept in some unencrypted file named
mypasswords or attached to computer screens on Post-it Notes, where they are
equally handy for users and intruders. This attempt at improved security results
in no security at all.
To deal with multiple passwords, password synchronization programs such as
P-Synch (www.psynch.com) and password aggregation systems such as ISO (Initial
Sign On), MS Passport (www.passport.net), and Shibboleth (http://shibboleth.internet2.edu/)
are used. All of these programs try to make authentication based entirely upon
something a person knows work effectively. It can't—and it is time to put
this enormous effort into something that will work: biometrics.
Retail Charges Ahead
Like other retail establishments, Men's Wearhouse (www.menswearhouse.com)
has electronic Point of Sale (POS) terminals that its sales force logs into
to record a transaction or sale.
Men's Wearhouse previously used IDs and passwords. Passwords were hard to remember
and were often written down on terminals. Passwords were shared. POS terminals
were left logged on for later use, but were often used by the next salesperson.
Of course the sales force was supposed to log on every time, but the systems
took time to boot up, errors were made in entering passwords, and the system
just slowed them down while they were trying to deal with customers in a hurry.
Security was non-existent. When a transaction was missed or a suit couldn't
be accounted for, it was impossible to determine who was responsible. This is
pretty much the state of university password security today.
Today, Men's Wearhouse has gone to biometrics—using something you are, rather
than something you know. You don't have to remember something you are, so you
never write it down, and it is more difficult to share something you are. Biometrics
also provides positive identification of the person making a transaction. Men's
Wearhouse has put fingerprint recognition hardware on all of its POS terminals.
Today, a salesperson just touches the terminal and he or she is logged on. No
mistyped passwords, shorter delays, and a system that—along with a good security
policy—provides strong security and accountability.
At a supermarket you'll always find a harried parent juggling three squirming
kids, bags of groceries, and a credit card jammed deep into a wallet. Oops,
those cards just fell out. "Adrienne, get back here." "Be careful with those
eggs!" "Sorry about you folks waiting in line."
Some Kroger markets (www.kroger.com)
now allow shoppers to use credit cards and other physical IDs to authenticate
just once to a service center. Their thumbprint is also recorded. Ever after,
a customer just touches their thumb to a pad to check out and their credit card
is automatically charged. It is very secure, fast, and no one ever sees your
credit card.
Critics of biometrics for universities say it isn't perfect. The password mess
we have now is worse. Critics say it's too expensive. If the thin margins of
a supermarket can support it, of course universities can too. Critics say that
the technology is too advanced. Should Kroger markets have better technology
than our research universities? It's time to abandon this password mess and
adopt biometrics. Then sometime in the future our universities will have security
as good as Men's Wearhouse.