Gates predicts death of the password

By Munir Kotadia
Posted on ZDNet News: Feb 25, 2004 3:25:00 PM

SAN FRANCISCO--Microsoft Chairman Bill Gates predicted the demise of the traditional password because it cannot "meet the challenge" of keeping critical information secure.

Gates, speaking at the RSA Security conference here on Tuesday, said: "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

Gates emphasizes security in Windows update Bill Gates, chairman, Microsoft

RSA is working with Microsoft to develop a SecurID technology specifically for Windows. Both companies agreed there is a need to remove the vulnerabilities associated with employees using weak passwords.

SecurID is the best-known two-factor authentication system and is used by many large enterprises. It generates a constantly changing sequence of numbers that a user has to type in alongside their normal password or PIN. Creating a specific system for Windows could mean that rolling out strong authentication across an enterprise will be far easier and cheaper.

 New organization helps companies measure security efforts against similar competitors

However, Gates said that Microsoft would not be using the SecurID system internally because it had opted for a smart-card system--with the help of RSA. "Microsoft recently moved to a smart card approach, and a key partner in this was RSA," he said.

Microsoft also demonstrated "tamper resistant" biometric ID-card software, developed by its own research arm, that can be used by both small and large companies to create ID cards using a digital camera, an inkjet printer and a business-card scanner.

To create an ID card, the software requires a photograph and some basic information about a person, such as name and date of birth. This information is processed by the software to create a digital signature in the form of a bar code, which is also printed onto the ID card. If any of the information on the ID card is altered, it will not correlate to the signature and the card is rejected, according to Microsoft.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Gavin Jancke, development manager at Microsoft Research, who demonstrated the software, said one of the key aspects of the system is that it does not require a database because all the information is already stored on the card.

"The authenticity ID is stored in the printed information in the card itself. There are no user privacy issues because we know that what is stored on this card is stuff that they can actually see," he said.

Jancke said the system could also be used to store fingerprints or an eye scan.

"This system is also extensible, so we can include other biometric information, such as iris or fingerprint. It will still maintain the same tamper resistancy on ordinary paper or plastic printed media," he said.

Microsoft did not indicate when or if the software would be available commercially.

Munir Kotadia of ZDNet UK reported from San Francisco.