Está en la página 1de 12



Are passwords really free?
A closer look at the hidden costs of password security

Driven by many factors—including consumer demand for enhanced security,
compliance pressures and a desire to re-energize the growth of e-business—
leading enterprises are making strong authentication a core component of
their e-business strategies. Unlike password management systems, strong
authentication delivers the security needed to safely conduct business online.
But these enterprises are also discovering an unexpected benefit:
dramatically lowered operating costs. That’s because the hidden costs
associated with the deployment and ongoing management of “free”
password security actually outweigh the perceived high price tag of
implementing strong authentication. Coupling this with the new business

opportunities that come with enhanced security—new revenue streams and
process efficiencies—makes for a compelling ROI. In this paper, RSA Security
explores the total cost of ownership (TCO) associated with password security,
helping enterprises to make an informed decision when contemplating their
strategic move toward stronger security.

TOTAL COST OF OWNERSHIP 1 Acquisition Cost 1 Deployment Costs 1 III. 3 Summary IV. MANAGEMENT COSTS 2 Total Cost of Ownership .A R E PA S S W O R D S R E A L LY F R E E ? TABLE OF CONTENTS I. INTRODUCTION 1 II. S E C U R I T Y E F F E C T S 3 THE BOTTOM LINE Relative Security 3 Passwords as a “Security” 4 Mechanism Are these concerns real? The answer 4 is yes! Strong Authentication for Enhanced 4 Security V THE ROI BENEFITS OF 5 S T R O N G A U T H E N T I C AT I O N Increased Revenue 5 Lower Costs 5 Compliance 6 Mitigated Risk 6 CONCLUSION 6 ABOUT RSA SECURITY 6 APPENDIX A — 3-YEAR TOTAL COST 7 OF OWNERSHIP WORKSHEET APPENDIX B — ESTIMATING RISK 8 .

This one-time user initiation process typically ownership it is necessary to look beyond the acquisition takes a total of 15 to 20 minutes of personnel time. considering a three-year period for a 1. it is first necessary to assign a dollar value to a replace embedded password security solutions with knowledge worker’s time in order to calculate the impact stronger authentication is a complicated one. and therefore costs in the range of $12 deploying and managing the solution. One must consider the appropriateness of purpose of this exercise.000 user environment. For the many factors. This assumption (strength of security. interoperability and integration. Further. Remember. For the purpose of per user. A R E PA S S W O R D S R E A L LY F R E E ? INTRODUCTION Deployment Costs As more and more business processes move online. Annual maintenance for the software license is also highly recommended.) incur is associated with establishing a user account. The others are the cost of deployment and the cost of ongoing management. Acquisition Cost of Passwords Acquisition Cost Password management systems have a Passwords major advantage over all other authentication technology in that they Product Acquisition Year 1 Year 2 Year 3 Total are generally available “free of charge” and are embedded or otherwise provided for within operating systems. The first password-related expense that most companies will (Please see the Authentication Scorecard to learn more. However.000 per year. Strong authentication technology. 1 . portability and multi-purpose worker’s fully burdened cost to a company to be $40 per functionality) and the appropriateness of corporate fit hour or approximately $80. tokens. a company T O TA L C O S T O F O W N E R S H I P will want to establish a process and a policy for approving a user’s request for a password. requires the purchase of a Total Acquisition Cost 0 0 0 0 server software license and RSA SecurID tokens for each end user. many Deployment costs will vary widely between different user enterprises are evaluating stronger security than that authentication technologies. technology investment. we will assume a knowledge user fit (usability. Server Software 0 0 0 0 communication devices and business applications. RSA Security Inc. To formulate an estimate of provided by traditional passwords. however. on the other hand. If the information that will be protected is valuable. often costs and consider the on-going expenses associated with spread over days. this paper we will develop a spreadsheet to help calculate the acquisition. digital certificates to and someone in the IT department establishes an account biometrics—to accurately understand the true cost of for the user. involving each solution will have on deployment costs. As with any significant should adjust any calculations accordingly. that acquisition cost is only one of three factors that determine the total cost of ownership. deployment and management costs of passwords. may not be accurate for your particular situation and you scalability and future flexibility). cost is always a consideration. A user fills out and submits a When considering any user authentication technology— request form. they do not require Maintenance 0 0 0 0 the purchase of any special devices or Authenticators 0 0 0 0 software for the end users. a manager reviews and approves the request ranging from passwords. the decision to these costs.

1 For our exercise. Meanwhile.000 RSA Security Inc. Productivity employee productivity that is lost. 2000 Lost productivity 76.400 $661. there is the cost of their lost wages. In Passwords one survey.200 1 Help Desk Best Practices Survey.000 personnel.000 2 Password-related help desk costs: 1.400 $220. The end-user lost twenty resolve common authentication-related problems. These folks minutes while the help desk personnel lost another ten. is defined as the revenue a company would expect to receive from an employee that is above and beyond the Help desk personnel and management time is spent in efforts to cost of their salary and benefits.000 228.000 76. the employee’s productivity value is equal to their fully affected user’s time is lost and wages and benefits are wasted.400 49.000 Wasted end user time 49.000 76. we will assign an average value of $25 per call.8 calls/yr X $25 = $95.8 calls/yr X $13 (20 minutes @ $40/hr) = $49. You can calculate this for your own In addition. Management Cost of Passwords 2 Passwords Management Cost Year 1 Year 2 Year 3 Total Help desk cost 95.400 49. fully burdened help desk cost to Year 2 Year 3 Total respond to one call ranges between twenty and thirty dollars. the Help Desk Institute reports that Deployment Expenses Year 1 the average. So when an employee is fully involved in a process to fix an authentication problem. For also consume telephone resources and use IS facilities to analyze our example. but not the Issuing Tokens 0 0 0 0 expenses of the end user. $40 per hour for a total of $20 for the lost half hour.000 $12. This includes help desk 0 12. First there is the cost of resources consumed to resolve the problem and then there is the Now let’s consider the cost of lost productivity. By assigning a conservative estimate of $40 per hour The final expense. There are two categories of cost incurred when a user lost wages and benefits.400 148. worker must return value in excess of his/her cost.000 95. and by far the more considerable. is the to a knowledge-worker’s time. The first ten minutes are spent trying to solve the problem themselves and the next ten are spent on the phone with the help MANAGEMENT COSTS desk. and a lost productivity value of perhaps this much again. a cost per employee from the average revenue per employee.400 $220. the twenty minutes of ongoing cost to administer and maintain an authentication wasted end user time calculates to approximately $13 in system.000 285. we will conservatively assume that an the problem and implement the solution. telephone charges.000 Wasted user time: 1.200 Lost productivity: 1.000 0 expenses and system costs. management User Initiation 12. burdened cost—in this case.8 calls/yr X $20 (30 mins @ $40/hr) = $76. Total Deployment Costs $12. encounters an authentication problem.000 95.000 x 3yrs = $285. To be a good investment to the enterprise.400 x 3yrs = $148.000 It is further estimated that an end-user spends an average of twenty minutes trying to fix a password problem.200 Total management cost $220.000 users X 3.000 users X 3.000 users X 3. 2 .000 x 3yrs = $228.A R E PA S S W O R D S R E A L LY F R E E ? Deployment Costs Studies by a variety of consultative and special interest groups have put some values around the costs to fix password-related problems. the productivity of all the people involved is lost environment by subtracting the average fully burdened during this exercise.

400 competitor. many users will forget the new When calculating the TCO of a password system. protect access to unimportant data or applications. the complexity of the systems and the company’s market position.000 user system. extended period of password non-use. Total Cost of Ownership Summary In Appendix B you will find a list of examples and some questions you can ask to help determine the potential impact of a security Passwords breach to your company. Certainly.400 $220. One company may lose very little business. assuming the Determining the level of security needed may seem like a actual experience is limited in the conservative way that we basic step for most corporations.400 $673. 3 The Cost of a non-automated Help Desk. the strong security may enable business opportunities that number of password related calls per user per year is result in new or enhanced revenue streams.g. it is important to look beyond One key question remains with respect to this scenario. an password. In a report published by Gartner. high forgotten password of sensitive information and resources to unauthorized cost is unavoidable. it is reasonable to conclude that password management systems can actually be more The typical business year offers numerous opportunities for expensive to own and operate than strong authentication a user to forget one of his/her passwords.400 $220. the real expense of a password requirement. just as it ($58 * 3.8 using their most conservative scenario. After any technology systems. Yet another could 0 experience tremendous losses if their Total deployment cost 12. after any password change.000 information were to be exposed by a Total management costs 220. a user is likely SECURITY EFFECTS THE BOTTOM LINE to forget a password.8 times per year. we estimated at 3. Also contributing to the bottom line.) would be unwise to leave critical resources unprotected. The numbers indicate that the average cost per incident of Relative Security a forgotten password is approximately $58. such as major holiday periods. we can calculate the cost of one help desk call Total Cost of Ownership—Summary at $58: $25 in help desk expenses. After we have learned the average user will call the help desk all. Gartner Research.000 0 0 12. 2002 RSA Security Inc. the volume of business interrupted.400 220. acquisition costs and to consider deployment and How often will the typical user forget his/her password and management expenses. A typical user is likely to average several users and intruders.400 220. $13 in wasted end user When comparing strong authentication technology costs to time and $20 in lost productivity. it would be fool-hearty to spend significant funds to with a password related issue 3. It’s important to match the solution to the security As we can now clearly see. Carefully considering and 661. but it is perhaps the one have presented it (e. vacations and extended trips.3 will now explore the impact of level of security on TCO. January 14. management system is hidden in the resources required to keep the system operational. A R E PA S S W O R D S R E A L LY F R E E ? At this point. The impact of a security breach can vary widely from company to company as a result of the value of the information that is compromised.. it is difficult to put an absolute value on risk. Because there are so TCO Summary Year 1 Year 2 Year 3 Total many variables. Further.200 answering these questions will help you to determine your risk exposure and help you Total Cost of Ownership $232. but suffer greatly from Total acquisition cost 0 0 0 employee inactivity. no matter how infrequent. that requires the most attention and consideration. As shown in this example of a place a call to the help desk? 1. those of a password system. If these “opportunities” are compounded by enterprise must consider security.200 understand the strength of security that would be most appropriate. one 20-minute incident). incidents per year. Weak security can result multiple passwords and good password management in immeasurable direct and indirect costs due to exposure practices forcing frequent changes. To this end. 3 .8 = $220 per user/per year.

They can be easily guessed or more secure alternative to the use of passwords. In just a few short hours gamblers racked up winnings of $1. A variety of software • And then there is the story of the on-line gambling tools. automate the casino where a hacker gained access to the gaming guessing of passwords through brute force and with server. extensive dictionaries of frequently used passwords. • It was recently reported by Kevin Poulson of Security Focus that The New York Times. PASSWORD CRACKING TECHNIQUES • In yet another such incident. then the hacker attempts sign-on with various intrusions. The user compromised by someone who is watching or “shoulder combines something they know. companies continue to incur the costs of forgotten passwords and hope to contain the costs of increasingly Social Engineering. This technique. With this are also a number of readily available tools that can be system. it was recently reported that computer hackers had cracked into the State of California’s personnel database and gained access to There are many easy. a token code from an RSA SecurID token. Network Monitoring. a PIN. can be misused for destructive purposes. steal user passwords: including Governor Gray Davis. the survey is designed to “login” or “password.000 state workers.A R E PA S S W O R D S R E A L LY F R E E ? Passwords as a “Security” Mechanism Strong Authentication for Enhanced Security Passwords are generally considered to be a weak form of Strong authentication technology can provide a safe and user authentication. Over half of the respondents detected computer password alternatives.” allows monitoring (without detection) results of their annual “CSI/FBI Computer Crime and the contents for any message that streams by and Security Survey. it would be impossible for someone to impersonate used to crack password files or to sniff data as it is entered another unless they had access to both the PIN and the through a keyboard and travels across a network.S. 4 . the Computer Security Institute published the as”sniffing. When a authenticator. an RSA SecurID token automatically generates and the thief is free to act without risk of discovery. tools available to uncover passwords. As demonstrated by these and many other similar stories. Many tools that policies that are intended to secure important corporate have been designed to control and improve networks assets can place these same assets at great risk. security breaches within the last twelve months alone. also known In 2004. a major U. When combined with the PIN. In contrast to the high-tech likely network intrusions. the time of day and a uniquely assigned seed victim usually has no idea their identity has been stolen and record. corrupting play so that gamblers could not lose. news service.” help determine the scope of computer crime in the United States. Once again. By combining the use of a patented password has been stolen or otherwise compromised. And yet. Programs like ToneLoc indicating that businesses and government agencies are automate the process of locating modem telephone facing high risks and costs associated with network lines. some intruders use non-technical approaches to steal passwords. with something they surfing” as a user enters their personal information. Password Cracking Tools. including a file containing social security numbers and home phone numbers of contributors to their op-ed page. the algorithm. such as L0Phtcrack and NT Crack. RSA Security Inc. inexpensive ways to financial information for all 265. such as computer security practitioners. had unknowingly exposed sensitive databases to hackers. the token code becomes the user’s pass code Are these concerns real? The answer is yes! allowing access to the protected resource.” Based on responses of almost 500 flagging messages based on keywords.9 million dollars. Abuse of Administrative Tools. it has produced striking evidence Brute Force Dialing. There have. displays a pseudo-random token code.

With strong authen- contains a unique and hard -to-defeat identifier tication technology. companies are able to grow their vide significantly stronger proof of identity before businesses faster and more profitably than ever before.g. such as retinal or fingerprint scans.intensive internal processes. an individual must present two to authenticate users before granting access to these factors: a token or smart card and a confidential PIN. two-factor authentication—which is processing applications and numerous other personnel similar to the model established for ATM cards and intensive business procedures are being automated to machines—has been the most common form of introduce efficiencies and reduce costs. This category includes e-Business applications provide the ability for companies to biometric identifiers that are unique to an address expensive.” The more of this technology is security—more specifically user factors a user must present. This includes passwords and confidential PINs. companies can implement e-business (for example. a token or smart card) that trust a user’s identity based on them. To prove identity components of the business infrastructure. In any on-line environment it is critical to application is considered to be. labor. Order processing. you can be sidered the least secure. But. By reaching out spective. applications. We’ve already discussed the fact that passwords are a weak • Something only the user has. sufficiently to discourage many identity thieves. This “raises the bar” and securely. this proof is established by presenting companies from fully utilizing and realizing the potential multiple forms of identity or “factors. As critical strong authentication for users. human resource systems. forms Historically. individual. A R E PA S S W O R D S R E A L LY F R E E ? T H E R O I B E N E F I T S O F S T R O N G A U T H E N T I C AT I O N There are four significant business benefits that a company may realize by implementing a strong authentication system: increased revenue. increased STRONG AUTHENTICATION compliance and mitigated risk. a one-time authentication code or applications securely and watch their revenues grow. encrypted digital certificate). the key difference is that a user must pro- to new customers. lower costs. perhaps the single most inhibiting factor preventing Typically. Lower Costs • Something only the user is.. A strong authentication system can provide As with an ATM card. who typically will move on. a criminal must steal the the user an authentication method that allows companies physical device and have access to the user’s PIN in to implement cost saving business applications confidently order to impersonate that user. looking for an easier target. By first authenticating the user. the more secure an authentication. it is important and gain access. This is usually a form of user authentication and that companies should not physical device (e.) Identifiers fall into three confident you know the customer is who they say they are broad categories: and trust that they cannot refute any executed transactions. Increased Revenue What distinguishes strong authentication from pass- The Internet provides wonderful opportunities for word-based authentication? From a security per- companies to do business electronically. being granted access to protected resources. (Password solutions establish trust with your customers before conducting only require one identifier and are therefore con- business. RSA Security Inc. • Something only the user knows. 5 .

In proven technologies and our more Mitigated Risk than 15. the risk continues to grow. The losses that can be accumulated as a result of a network RSA Security inspires confidence in everyone to experience breach are well publicized. 6 . There organization can choose from a range of authentication are many hidden costs involved—including ongoing methods and form factors. solution. customers and partners may refuse to access management. one must take into account that ease of use. security. For more numerous studies that chronicle the risk facing companies information. we encourage you to contact RSA Security for comprehensive cost analysis of Compliance your unique environment. government agencies and industry organizations have ABOUT RSA SECURITY created legislation and regulations that mandate RSA Security Inc. ingenuity. can help This positioning paper and accompanying worksheet will organizations select the most appropriate technologies help you understand the actual costs involved in password for their mix of authentication challenges. secure mobile & remote access. neutral tool. Further. there is much to be considered offers a consistent. the Authentication Scorecard. RSA Security Inc. There are daily stories and the power and promise of the Internet. leadership. Strong authentication can help companies to mitigate their risk by proving the identities of users before granting access to sensitive information and applications.000 customers around the globe. Failure to comply with these laws and applications accessing and exchanging that information.000 technology and integration partners. secure conduct business with a company unless it is in compliance enterprise access and secure transactions—are all designed with these requirements.rsasecurity. reliability and.rsasecurity. regulations can result in significant fines to the offending RSA Security’s portfolio of solutions—including identity & companies. Different combinations of management expenses—which are often overlooked when methods and form factors offer different value calculating the total cost of ownership (TCO) of such a propositions in terms of security. stronger authentication. cost of ownership. helps organizations protect private companies to maintain strict standards to protect personal information and manage the identities of people and information. as increasingly more valuable data is made available and higher volume transactions are conducted online. Concerned with the privacy rights of individuals. By providing strong user to provide the most seamless e-security experience in the authentication before allowing access to critical resources. This vendor. an It’s obvious that password security isn’t really free. please visit www. To compare these costs directly with that of a strong authentication and other organizations. Our strong reputation is built on our history of companies can meet various compliance requirements. As a result. RSA Security opportunities. And. of course. market. available at www. scalability. portability. Together with more than 1. structured framework and when contemplating the use of password security in lieu of calculator. weaker levels of security often result in costly breaches. For organizations that want to evaluate the merits of while stronger security enables enhanced revenue different strong authentication methods.A R E PA S S W O R D S R E A L LY F R E E ? CONCLUSION AUTHENTICATION SCORECARD In planning a strong authentication strategy.

7 . D Needed to purchase for deployment smart cards. per year Estimate help desk cost per call G Help Desk Institute says $20 –30 covers help desk personnel & systems Estimate the average hourly H Include salary. IT setup. approval. cost per user Estimate the average end user I 20 minutes is common time lost (minutes per call) Estimate average help desk J 10 minutes is conservative personnel time (minutes per call) Estimate your company's hourly K Expected revenue minus fully burdened employee cost divided productivity return per user by weeks worked and then by hours per week Calculate acquisition costs B + (C*3) + D Calculate deployment costs A*E Calculate management costs. training user Estimate the # of authentication F Gartner reports 3. readers. etc. deployment and management costs Cost per employee per year 3 Year TCO divided by A (# of users) divided by 3 (years) RSA Security Inc. mailing costs. etc.8 on average help desk calls per user. A R E PA S S W O R D S R E A L LY F R E E ? Appendix A — 3-Year Total Cost of Ownership Worksheet Amount Notes / Hints Enter the total # users A Enter server software cost B Purchase price Enter annual maintenance C One year’s cost Enter cost of tokens. figuring: Help desk costs A*F*G*3 Lost end user time A*F*(I/60)*H*3 Lost productivity A*F*((I+J)/60)*K*3 Three year total cost of ownership Sum of acquisition. benefits. Estimate deployment cost per E Consider user request.

obligations that could not be met as a result of Lost business — Companies lose business when systems are compromised systems? Are you subject to any fines due to unavailable to their customers and sales teams. Obviously. what are the resources proprietary information? Could accounts be stolen? Could your company would expend? What would be the cost in new designs be uncovered? either consulting fees or employee salaries? 6 What Does a Computer Security Breach Really Cost?. What would be the financial impact if your the public relations dilemma caused by the breach? If this competitor were to gain access to confidential or were to be done by in-house staff. or a week? expenses associated with the collection of forensic evidence Labor costs — When a system has been attacked. Anita D'Amico. Does your company have any contractual company's risk exposure. September 7. be idled due to unavailable resources? How long would damage to a company's reputation can have lasting impact they be idled? What are their hourly rates? on its ability to attract new customers? Will prospects avoid Public relations — It is common that security breaches your company because of negative publicity? become public knowledge and companies find it necessary Loss of intellectual property — Critical information in the to prepare statements for the press. and answer customer hands of a competitor can do a tremendous amount of inquiries. technical and the prosecution of an attacker. 2000 RSA Security Inc. systems are usually manner. Would there be a need to hire a firm to manage damage. there are company normally do in an hour.A R E PA S S W O R D S R E A L LY F R E E ? A P P E N D I X B — E S T I M AT I N G R I S K 6 Cost of defending the company — Security breaches can result in liability suits due to a failure to protect private Considering the following expenses categories and asking information or from the inability to deliver contracted some of these questions can help you establish your services. How many people would Failure to win new accounts — While difficult to measure. 8 . and how much will it cost to find out who invaded your How many people and how long would it take to bring the systems? What will it cost your organization to mount a system back into service? What is the hourly rate of those legal case against the offending individual or company? people? Would there be a need to bring in consultants to Customers' loss of trust — Customers rely on your help? organization's ability to execute business in a reliable Idled users — When a breach occurs. a day. Will customers stop conducting business with your shut down and the staff that relies on those systems is company because they don't have faith in its ability to rendered non-productive while the IT department tries to execute transactions or protect private and sensitive data? contain and repair the damage. What would industry compliance regulations related to information be the cost to your company if you were unable to conduct privacy? What would it cost your company to defend itself? normal business because your information systems were Labor costs of the IT staff and legal representation — To inaccessible or compromised? Can you estimate how long discourage others. many companies choose to prosecute the systems would be down? How much business does your perpetrators of security breaches. How long will it take resources must be assigned to find and fix the problem. SANS Institute.

A R E PA S S W O R D S R E A L LY F R E E ? NOTES RSA Security Inc. 9 .

the RSA logo. RSA Security. in the U. and /or other countries. SecurID and Confidence Inspired are registered trademarks or trademarks of RSA Security Inc.S. All other trademarks mentioned herein are the property of their respective owners. ©2004 RSA Security Inc. All rights reserved. CLHC WP 0804 .A R E PA S S W O R D S R E A L LY F R E E ? RSA.