People misplace passwords as often as they do their socks.
Sometimes they just don't match up or they simply vanish into a void. That is why many IT shops are turning to foolproof methods, such as fingerprinting and self-service password management tools like portals to address the daily help desk requests for password resets.
Resetting passwords is an annoying daily task for IT administrators, but it's not the only reason Windows shops like Southwest Medical Center in Liberal, Kansas, have turned to fingerprinting technology. One such platform is Lexington, Mass.-based Imprivata Inc.'s OneSign appliance.
The appliance lets the medical staff of Southwest Medical Center securely sign on to any desktop on the grounds of the facility to access patient medical records as well as their personal files and applications as dictated by IT through Active Directory.
IT managers at the facility looked at smart cards and tokens, but they were afraid users would lose them. The fingerprinting technology was more expensive but heightened regulatory requirements outweighed the added costs, said Chris Lehr, network administrator for Southwest Medical.
OneSign starts at $14,000 for 100 users. On a higher scale, the appliance is $45 per user starting at 1,000 users, the company said.
"We need to watch HIPAA rules and make sure we're following them," Lehr said. "With fingerprinting we know the [people] signing in are who they say they are, and we have it set up so that the system locks down after the doctor is finished with a session. So being able to meet HIPAA regulations and security makes it worth the cost."
About 50 desktops are getting the new fingerprinting technology, but Lehr estimates another 200 will be fitted with OneSign.
Still, as any IT manager knows, hardware can break down. So Lehr's team has also developed an internal self-service portal that lets medical staff answer a few questions to find their passwords and sign into a system.
"There are always quirks with new technology, so with the portal we can set up 15 to 20 different options and customize the questions so they aren't obvious ones, like where were you born, or what's your pet's name," Lehr said.
Avoiding the obvious password names
Sure, giving teaching and administration staff and students a Web portal to find and manage their own passwords seemed like a good idea. But for Josh MacNeil, assistant director of technology services at Whitman-Hanson Regional School District in Whitman, Mass., the security risks were too high.
"No matter what questions you set up, people who work closely together know a lot of information about each other and will probably know or be able to guess the answer," MacNeil said.
Instead, MacNeil customized the Microsoft Management Console and Active Directory to give teachers access to a file that lets them reset passwords when students lose them.
But that doesn't address the issue of teachers forgetting passwords after vacation or summer breaks.
"There's just no way to make password management easy," MacNeil said. "It will always be an issue whether you use a Web portal and risk security or try to help users come up with passwords they will remember that aren't so obvious."
Taking out the guesswork and illicit access
In a past job, Peter Bittle used IBM/Lotus Notes to administer and assign random passwords to users. Each user would get a password containing a fixed set of numbers and characters for all the systems and files they needed access to. The assigned one-password-for-everything approach cut down on unauthorized access as well as calls to the help desk, he said.
"In that environment of 14,000 users, a locked down environment was the best way to manage," Bittle said.
Now at industrial and residential shower enclosure manufacturer Coral Industries Inc. in Tuscaloosa, Ala., users aren't exactly taking to the idea. "We're trying assigned passwords, a systematic process here that's not random, but not all people agree that it makes it easier to remember," Bittle said.
Some employees have been with the 400-person company and have maintained the same password for 30 years. "So right now we're trying to strike the balance of is it secure, and not an onerous process for users," Bittle said.
The IT team is looking at fingerprinting for time card workers, but company-wide the cost is too prohibitive, Bittle said. So, he once again is looking at a single sign-on approach, possibly through Active Directory. Bittle is finding that, like with Lotus Notes, his team will have to adjust its systems and tweak Active Directory to make it work.
"We have so many separate systems with different passwords and many of our systems are not AD aware," Bittle said. "It would only work if we do a lot of workarounds and that would take too long … that's where we are at this point."