Whatever device-based technology wins, it will involve a set of checks and balances. "We'll always have password problems," acknowledges Siu. "While users always want a single place to log in, we're going to need multiple levels of authentication." He anticipates that in the future we'll carry something that authenticates us, perhaps our phone or something with an RFID tag, the just as a highway toll transponder authenticates a car at a toll booth or a key fob lets you start a Prius when it's in the vicinity.
Ultimately, even the security experts are optimistic. "We're at a turning point in the security industry," insists Ponemon. "There are lots of venture capital investments looking at this facet of security. It's a response not just to [ breaches at popular sites such as LinkedIn], but to hackers in China and Russia who are looking for weaknesses."
With the threat vector high, so too is the likelihood of a successful technological response. In the meantime, IT will keep on trying to exhort users to choose stronger passwords -- and that includes their own systems administrators. As Maler relates, a recent Forrester study found that the most common administrator password for Microsoft Exchange is -- you could have guessed it -- password1.
Baldwin is a frequent Computerworld contributor.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about security in Computerworld's Security Topic Center.