Security can be a vicious cycle. A breach occurs. Enterprises add a new level of security. That increases inconvenience for users, who find workarounds. Then there's another breach and the cycle begins again.\u201cEvery time we have a breach, we add another three feet of security fencing, and expect the users to just climb three feet higher,\u201d says Andre Boysen, chief identity officer at Ontario-based SecureKey Technologies.One of the coping mechanisms that users adopt is to share passwords across multiple sites \u2013 once any of those sites are compromised, all of those accounts could potentially be compromised, including those that are work related.\u201cAnd as much as we're in password hell now, the second factor hell that's coming is even worse,\u201d he says. Text messages, smartphone apps, USB key fobs, voice, video and thumbprint scanners \u2013 the second factor technologies are multiplying with no end in sight, and no clear winners.+ ALSO ON NETWORK WORLD: Best tools for protecting passwords +\u201cIt's confusing the hell out of users,\u201d he says.Companies are addressing this issue by reducing the number of passwords their users need, implementing password management tools to help them manage the passwords they have, and switching to more user-friendly second factor systems like smartphone apps.Here are five ways that companies are addressing the password problem:Cloud-based password management servicesImplementing single sign-on is tricky enough in a centrally managed organization. It can be nearly impossible when trying to impose it on autonomous units.That's the kind of password problem Rotary International was facing. The global service organization has 1.2 million members, who are part of 34,000 different clubs.Since the clubs are autonomous, a member might have one login and password for the club website, another for the regional site, another for the national site, and even more for mobile apps and other services developed by fellow Rotarians.\u201cIt was a home-grown hodge-podge of things,\u201d says Peter Markos, CIO of Evanston, Ill.-based Rotary International, the parent organization.The challenge was to update security throughout the organization, including for the autonomous club websites. \u201cThat led us to the cloud,\u201d he says. Specifically, it led them to Octa, an on-demand identity and access management vendor.Plus, cloud delivery meant that Rotary would be getting constant improvements. \u201cWe can now offer security as a service,\u201d he says. The local club can send the login request to the parent organization, which acts as the central hub that all clubs and members can connect to.\u201cIt simplifies the life of the club,\u201d he says. \u201cThey don't have to manage their own users. And it simplifies life for the member, and makes the wealth of resource around the globe easier to access.\u201dThe most difficult part of the process is getting the individual clubs on board. Around 8,000 clubs use off-the-shelf club management software, and the security as a service is already available through that channel. Another 1,000 or so clubs have switched over on their own. Markos says the adoption rate is starting out slow, but he hopes that it will pick up as the technology proves itself and reaches critical mass. \u201cThere's a lot of reluctance to give up control,\u201d he adds.Rotary is also looking at changing the way the passwords themselves look, away from the standard eight-character password that they launched with.\u201cWe're looking at getting rid of the special character, the capital letter, the number, and just increasing length, encouraging them to use a phrase,\u201d he says. \u201cIt's really length that's going to provide the security and address brute force type attacks \u2013 and our members will be appreciative of something easier to remember.\u201dOff-the-shelf password management softwareSecure-24, a Detroit-based managed hosting company that serves automotive, manufacturing and healthcare companies, has a similar problem \u2013 the company has to manage passwords on behalf of its clients, who need their own, secure access to their systems. And there's a twist.\u201cThey'll have us create passwords for different servers and different technologies \u2013 but they wouldn't want us to know them or save them or remember them,\u201d says Eric Zehnder, the company's systems improvement engineer.To solve this problem, Secure-24 turned to Thycotic's Secret Server enterprise password management software. The software provides automated password management for multiple clients, in multiple domains.And there's no risk of the passwords getting into the wrong hands. \u201cThe users never even know the passwords,\u201d says Kevin Jones, Thycotic's enterprise information security architect.Smartphone apps for two-factor authenticationOf course, users do have to authenticate themselves to the system at some point to start with. Eliminating the total number of logins means that that first login becomes more important.Secure-24 uses two-factor authentication to securely identify users but here, as well, the company is working to make the process simpler.In the past, the second factor was typically key fobs \u2013 RSA Security ID or Vasco Digipass, depending on client preferences. That worked out well for those employees who kept their fobs on their key chains.\u201cHow would they get to work if they didn't have their keys?\u201d says Secure-24's Zehnder. But some employees kept theirs on lanyards, which were easier to forget at home.Plus, telecommuters might not have their keys on them while working. \u201cI usually have my phone with me, but I don't usually have my keys with me,\u201d says Zehnder.The company is now moving away from the key fobs to apps that run on iPhones and Androids. \u201cI notice that there are more numbers too \u2013 our soft tokens have an eight-digit PIN, and before it was only six,\u201d he adds.The phone-based systems can be quite a bit less expensive, as well, he says. Secure-24 used to buy big racks of key fobs, at around $100 each. \u201cFor these tiny little key fobs,\u201d Zehnder says. \u201cOne client that had to use them with our technology would get very angry every time someone lost theirs because it was expensive to replace. The app is free \u2013 so it quite a bit cheaper.\u201dPlus, if a phone is lost, it's easy to disable the app remotely, he adds. And now there's even more good news for fans of smartphone-based second factor systems. As part of the iOS update in September, Apple has opened its Touch ID fingerprint sensor to third-party developers.\u201cI wouldn't be surprised to start seeing password apps that use your fingerprint to generate a random password or random code,\u201d says Charles Tendell, founder of security consulting firm Azorian Cyber Security. \u201cAnd with it being simpler, we'll see more widespread adoption.\u201dI wouldn't be surprised to start seeing password apps that use your fingerprint to generate a random password or random code.Charles Tendell, founder of security consulting firm Azorian Cyber SecurityThis area of security technology is evolving quickly, says Maria Horton, founder of EmeSec, a security consultancy. Horton was previously the CIO for the National Naval Medical Center and now works with a number of federal agency clients.The financial sector is going to be very influential when it comes to the development of this technology, and the government sector will also be a significant player.Two years ago, the main issue at the federal government level was knowledge sharing, she says. \u201cBut part of the knowledge sharing was difficult because of identity access control,\u201d she says. So, this spring, a new initiative was launched around identity credentialing and management.\u201cIt's in the aspirational stages,\u201d she says, but the federal government is recognizing that this is an issue, and has begun exploring potential strategies.\u201cI think you will have a handful of winners,\u201d she says. \u201cIf we ever try to go to a single winner, we'll actually increase risk in the system because that winner will be targeted \u2013 and also because then there's no reason to increase functionality or capability.\u201dPrivileged users firstConverting an entire organization to a new password management or authentication system can be extremely difficult, especially when users have to change their behaviors.Ken Ammon, chief strategy officer of Virginia-based security vendor Xceedium, suggests that companies start with their privileged users first. It's a smaller group, and improving security here will have the biggest return on investment.For example, some companies use role-based access, or have multiple people sharing the same administrator account, or allow root users. \u201cThere's no way to tell who's doing what,\u201d he says.If a hacker gets into a company's systems, and is able to worm their way to those credentials, they can also do a significant amount of damage.In fact, that's exactly what happened with many of this year's top security breaches, including the eBay breach earlier this year, where hackers made off with about 145 million user records.Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay\u2019s customer database, eBay reported in a statement.Passphrases instead of passwordsAnother relatively simple place to start is to move away from the standard password type \u2013 eight characters, with symbols, numbers, and capital letters \u2013 and instead allow your users to have long but easy-to-remember passphrases, instead.\u201cBased on all the training we have given our users over the past few years, the only good passwords are ones that they can't remember,\u201d says Keith Palmgren, member of the cyber defense curriculum team at SANS. \u201cA longer password, something you can remember easily \u2013 like 'i went fishing last saturday night' \u2013 is a very good password even if it\u2019s all lower case. It's not going to show up in any hacker's dictionary. If a company that's trying to do the right thing but can't afford to move to the two-factor, token-based or biometric authentication systems, they should take a closer look at their password policies and start changing them up a little bit and making them a little bit more realistic.\u201dAnother thing that companies can do is offer their employees the use of personal password management tools, so that they aren't tempted to use the same passwords at work as they do on personal websites.Palmgren uses LastPass. \u201cI have an online banking password that is 30-some characters in length,\u201d he says. \u201cIt is highly complex and I don't need to remember it because LastPass does it for me.\u201dSome companies have begun getting the enterprise version of LastPass for their employees, he says. LastPass is a cloud-based service that works in conjunction with a locally installed desktop or smartphone app that handles the encryption.\u201cThe only thing stored on our servers is the encrypted blob for which we don't have the key,\u201d says LastPass spokeswoman Cid Ferrara.More than 5,500 organizations use LastPass, she says, from small and midsize companies to Fortune 500s. Work and personal passwords are kept separate, but are linked so that users don't have to switch between their personal and work LastPass accounts.Companies can use the platform in combination with a wide array of second-factor authentication technologies or with SAML-based single sign-on systems.It allows companies to manage the members of a team who, say, share access to accounts. These shared password folders are one of the main differences between the consumer and enterprise versions of the service.\u201cYou might have a team of five marketers, but they all need to share that credential,\u201d she says. \u201cShared folders can do that securely, without losing any trackability.\u201dKorolov is a freelance writer. She can be reached at\firstname.lastname@example.org.