IT SECURITY COMPANY SIGNIFY has produced a guide to the top five methods used by password pirates and how to combat them. The guide is published here in full.

At present, the majority of companies use standard re-usable passwords to secure entry into their company systems or to log in remotely to their e-mail, intranets, extranets and sales management systems, amongst others.

Evidence highlights that re-usable passwords are a very insecure way of keeping company or client information under wraps.

Passwords can be easily cracked, stolen or guessed; and once someone's username and password has been hijacked, that person's entire digital identity is vulnerable: the attacker instantly acquires all the privileges of his/her victim.

All this can happen without the victim being aware that their password has been compromised and if the attacker is careful, no-one may ever know that the attack has happened. For companies it means confidential business information can be easily copied or read by unknown sources without the alarm being raised.

--------------------------------------------------------------------------------

"There are now powerful password cracking tools which can decrypt any password within minutes or a few hours using a standard PC."

--------------------------------------------------------------------------------

Most companies have a poor understanding of how easy it is for someone to enter their system.

With standard password based systems, individuals re-use the same credentials each time they log in, and they are compared against a password database which is typically stored on the company system. So the password can be acquired either by snooping on the user's network connection, hacking the system's password file, or simply by copying a back-up tape.

Passwords are normally stored in an encrypted or 'hashed' format, but there are now powerful password cracking tools, which can decrypt any password within minutes or a few hours using a standard PC.

Ideally, companies need to eliminate use of re-usable passwords in favour of a 'one-time passcode' system. Under such a system, each passcode is only ever used once, then thrown away and a new one used the next time the user logs in. So even if an attack does manage to snoop the user's passcode, it is of no value as it cannot be used a second time.

Ideal solution

The ideal solution is a one-time passcode system, which requires 'two factor' authentication: users must present two proofs of their identity: typically something they know - a secret PIN, and something unique they have - a token or smartcard.

In our most popular system, RSA's SecurID, the user's token creates a new code every minute, and this is combined with the user's secret PIN to make a unique one-time passcode.

The SecurID system is favoured by users due to its simplicity and robust reliability and is currently used by over seven million people worldwide. It ensures those gaining access to secure confidential company information really are authorised users - and not just a pirate who has stolen someone else's password.