Men's Wearhouse Has Better Security Than Your School

• By Howard Strauss
• 04/29/03

In the 1992 vice presidential debate, Ross Perot's running mate, Admiral James Stockdale, introduced himself with the words, "Who am I?" For the millions of viewers watching, that was a key question because they had never heard of him or seen him before. His very difficult task was to authenticate himself as a viable candidate to the voting public, a task at which he was ultimately unsuccessful.

The task of authenticating oneself to a computer system is no less daunting. In almost every case, colleges and universities use IDs and passwords. Because passwords must be remembered, most people choose things they already know, such as birth dates, pets' names, and Social Security numbers (SSNs).

Although these are easy to remember, they are also easy to guess or are widely known. The problem is worsened by the fact that people need to authenticate to many systems that do not communicate with each other. This results in people needing to remember many different passwords and IDs.

In the spring of 2002, members of Princeton University's admissions office were able to access the records of prospective Yale students by authenticating to a Yale application with just a Social Security number and birth date. In 2001 and 2002 a business rival of Niku Corp., a small Silicon Valley software company, used passwords that it is alleged were obtained illegally to download more than 1,000 Niku documents, many of which were critical to Niku's competitive survival.

Universities have responded to password threats by making passwords more difficult to break. Users are no longer allowed to use their Social Security numbers. Instead, they are forced to use passwords that obey complex rules that result in passwords such as, "a2$4B!)e," which no one could ever remember but that traditional password cracking programs have difficulty breaking. If an arcane combination of eight characters d'esn't work, universities just require longer passwords such as, "a2$4B!)e{@rucrazy."

Collections of these passwords are usually kept in some unencrypted file named mypasswords or attached to computer screens on Post-it Notes, where they are equally handy for users and intruders. This attempt at improved security results in no security at all.

To deal with multiple passwords, password synchronization programs such as P-Synch (www.psynch.com) and password aggregation systems such as ISO (Initial Sign On), MS Passport (www.passport.net), and Shibboleth (http://shibboleth.internet2.edu/) are used. All of these programs try to make authentication based entirely upon something a person knows work effectively. It can't—and it is time to put this enormous effort into something that will work: biometrics.

Retail Charges Ahead
Like other retail establishments, Men's Wearhouse (www.menswearhouse.com) has electronic Point of Sale (POS) terminals that its sales force logs into to record a transaction or sale.

Men's Wearhouse previously used IDs and passwords. Passwords were hard to remember and were often written down on terminals. Passwords were shared. POS terminals were left logged on for later use, but were often used by the next salesperson.

Of course the sales force was supposed to log on every time, but the systems took time to boot up, errors were made in entering passwords, and the system just slowed them down while they were trying to deal with customers in a hurry. Security was non-existent. When a transaction was missed or a suit couldn't be accounted for, it was impossible to determine who was responsible. This is pretty much the state of university password security today.

Today, Men's Wearhouse has gone to biometrics—using something you are, rather than something you know. You don't have to remember something you are, so you never write it down, and it is more difficult to share something you are. Biometrics also provides positive identification of the person making a transaction. Men's Wearhouse has put fingerprint recognition hardware on all of its POS terminals. Today, a salesperson just touches the terminal and he or she is logged on. No mistyped passwords, shorter delays, and a system that—along with a good security policy—provides strong security and accountability.

At a supermarket you'll always find a harried parent juggling three squirming kids, bags of groceries, and a credit card jammed deep into a wallet. Oops, those cards just fell out. "Adrienne, get back here." "Be careful with those eggs!" "Sorry about you folks waiting in line."

Some Kroger markets (www.kroger.com) now allow shoppers to use credit cards and other physical IDs to authenticate just once to a service center. Their thumbprint is also recorded. Ever after, a customer just touches their thumb to a pad to check out and their credit card is automatically charged. It is very secure, fast, and no one ever sees your credit card.

Critics of biometrics for universities say it isn't perfect. The password mess we have now is worse. Critics say it's too expensive. If the thin margins of a supermarket can support it, of course universities can too. Critics say that the technology is too advanced. Should Kroger markets have better technology than our research universities? It's time to abandon this password mess and adopt biometrics. Then sometime in the future our universities will have security as good as Men's Wearhouse.