All of your business systems’ users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don’t ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information.
Recent years have seen a surge in the sophistication and volume of hacker attempts to gain unauthorized access to online proprietary corporate information and processes. Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account.
Such requirements do improve security. But because fraudsters stand to gain—perhaps greatly—they continue to devise ingenious and often very successful ways to decode, or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers’ various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords.
This article discusses techniques for preserving the security of passwords that control access to a system. It complements “Managing Multiple Identities” (JofA, Sept. 08, page 38), which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain equally to an organization’s employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations.
The system administrator is responsible for maintaining all passwords in a table and for employing due diligence to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user’s ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. If they match, the system admits the user.
The risk inherent to a password table is that it could be compromised. For example, a hacker could gain unauthorized remote access to it or it could be intentionally divulged to an outsider by, perhaps, a terminated system administrator. To illustrate this, assume that XYZ Bank requires its employees to use passwords that consist of at least five numbers and uppercase or lowercase letters. The bank maintains these passwords in a password table. Exhibit 2 shows the three primary password formats available to system managers, and indicates the relative risk associated with each method. Let’s discuss those alternatives in detail.
1. Clear-text passwords. As Exhibit 1 illustrates, this unencrypted format plainly reveals the system passwords to anyone who views the table. System administrators should ensure their staffs understand the danger and inadvisability of storing passwords in cleartext format.
2. Basic hash encryption. This option involves encrypting passwords before storing them in a table. One common technique involves the use of a mathematical hashing formula, which converts a user’s password into an encrypted alphanumeric value. Exhibit 3 illustrates the process of hashing.
With hashing, only the user knows his or her password. The system administrator will know only the hashed value of the user’s password. And if a hacker somehow were to learn that hashed value, he or she wouldn’t be able to “reverse-compute” the password.
If a user forgets his or her password, he or she can request a temporary one, which the system administrator can send to the e-mail address specified in the user’s system profile. To guard against misuse of the temporary password by an unauthorized person, the system should require the user to answer a previously agreed-upon question. For example, after the user keys in the temporary password, the system could ask him or her to provide his or her mother’s maiden name. At this point, the system also should require the user to choose a new permanent password.
But while basic hash encryption makes passwords harder to crack, it is not a serious challenge for many hackers. That’s because basic hashed values can be vulnerable to hacker attacks employing rainbow tables, which are lists of the precomputed hashed values of thousands of words that employees may have chosen as passwords.
For example, consider Exhibit 4, which shows a table of passwords that are hashed versions of those in the cleartext table in Exhibit 1. If a hacker obtained a copy of the table in Exhibit 4, he or she could compare it to a rainbow table, searching for matches. As Exhibit 4 illustrates, there’s a good chance a match would be found.
Exhibit 5 illustrates the results of using Ophcrack, a hacker program that employs rainbow tables to crack passwords encoded by the LAN Manager hashing system, which Windows XP uses to encrypt and store user passwords. Windows Vista uses the NT LAN Manager (NTLM) hashing system, and recent versions of Ophcrack can decode Vista passwords.
As indicated in Exhibit 5, a hacker would be able to crack the most difficult hashed Windows XP password in less than eight minutes. Clearly, your system needs stronger protection than this; read on to see how you can obtain it.
3. Salted hash encryption. This preferred method involves the use of what is popularly known as a salt string. (In this context, “salt” is merely a metaphorical term, not an acronym.) A salt string is a random array of characters created and then attached to a user’s password before hashing it. This extra step—adding salt—exponentially increases the difficulty of cracking the password. With unsalted hashing, there’s a good chance one of the hacker’s rainbow tables will contain a match for the password he or she is trying to deduce. But when the password contains salt—which the rainbow table probably won’t contain—the odds of a match diminish, and the hacker is likely to be slowed down and stumped. Once a hacker realizes your system uses salted hashing, he or she probably will move on, searching for a system not protected by salt. Exhibit 6 illustrates the use of salt in a hashing system. Sometimes the best defense is one that persuades an attacker to look for a different target.
1. Start by developing a full understanding of how your computer system stores passwords. Some systems are configured to automatically perform this process; others allow system administrators to implement their own password storage procedures. In either case, the resulting encryption must be strong enough to prevent hackers from decrypting passwords. As the examples demonstrate, sophisticated hackers can use rainbow tables and other techniques to defeat mediocre encryption.
2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely. At a minimum, your system should encrypt all passwords and require that they contain at least eight random characters, comprising one or more numerals and a mixture of uppercase and lowercase letters. These dual precautions address two risks to password security. First, encryption conceals the contents of the password table from anyone who gains unauthorized access to it. Second, ensuring that passwords consist of diverse and conceptually unrelated characters (for example, “H553f83” instead of “Giants”) makes it more difficult for a nearby surreptitious observer to detect a password’s characters as the user keys them in, and it strengthens passwords against dictionary attacks.
3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum. For example, software coding platforms, such as Java and Microsoft.Net, offer encryption capabilities that are economical, do-ityourself ways to design and implement a better encryption system—provided, of course, that you or someone in your organization has the requisite ability and knowledge.
If such skills are not available to you in-house, you could hire a consultant. The consultant’s programming code will control access to your system, so be sure he or she is skilled in secure coding practices involving encryption. Also, find out whether your vendor offers an upgrade that would strengthen your system’s encryption and make your passwords more secure.
Before you choose a strategy, carefully compare the relative costs and benefits of each option. Remember that the financial impact of a security breach caused by inadequate encryption could far exceed the expense of implementing a fully effective system.
4. If your assessment reveals that you need an entirely new password management system, look for “yes” answers to each of the following four questions when you evaluate products. Does each system under consideration:
Encrypt and salt passwords when storing them?
Hide passwords with asterisks when users key them during login?
Log out users after a certain period of inactivity?
Lock out users after a small number (for example, 3 to 5) of failed login attempts?
5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test. This is an exercise in which a knowledgeable third party you hire does his or her best to break into your system, and then shares with you the results. Intentionally exposing your system to whichever approaches and techniques such experts use is the best way to see how well your system would defend itself against an actual hacker attack. Such information is invaluable; money paid to obtain it is well spent.
Disclaimer: This article discusses only some of the various encryption systems in use, and the recommendations it offers are only suggestions. Do not use them without carefully considering their suitability for your particular circumstances.
Exhibit 7: Safe Password Practices
Advise users to never put their password on a Post-it Note or in another unsafe location.
Prohibit users from including a clear-text password in an e-mail message.
Require users to consult a manager when an unfamiliar person asks for a password via e-mail or over the phone.
Tell users to always say “No” when Windows or any other software offers to save their password.
Require all employees to change their password at least every one to two months.
Lock out of the system any user who has been unable to log on after three attempts.
Store salt values and passwords in separate system tables.
Exhibit 8: Offense and Defense
|Primary Security Risks
|Failing to enhance password security in order to focus on searching for a “perfect” security system and obtaining more funding.
- Immediately improve password security procedures.
|Implementing new system security procedures or a new security system without adequate planning and full knowledge of current system’s capabilities.
- Learn how current system stores and protects passwords.
- Observe employees' password-related practices (for example, check for notes near monitors).
- Identify security system capabilities necessary to ensure employees' adherence to password security requirements.
- Perform a thorough needs analysis before buying new security software.
|Inconsistently enforcing safe password practices.
- Obtain high-visibility, senior management support of safe password practices, and publicize them to all employees.
- Enforce all safe password practices without exception.
- Make adherence to safe password practices a condition of employment.
Exhibit 9: Glossary of Key Terms
Unencrypted characters in, for example, a password.
To decode an encrypted password.
A hacker’s use of a plausible pretext to intimidate or trick an employee into divulging a password without proper authorization.
A hacker-originated automated process that repeatedly attempts to log on to a system, using many thousands of words (contained in the hacker’s ad hoc “dictionary”) as potential passwords.
A process that follows a mathematical formula to convert a user’s password into an encrypted alphanumeric value. Despite its harder-to-crack encryption, hashing has security weaknesses.
Hacker-created lists of the precomputed hashed values of thousands of words that users may have chosen as passwords. Hackers search rainbow tables for matches with hashed passwords they encounter in password tables. Often hackers quickly find a match—and thereby crack—hashed passwords.
A metaphorical term for a random array of characters that will be attached to a password to strengthen it against hackers.
A technique to make passwords harder to crack. It consists of adding a salt value to a password, and then hashing it.
An exercise in which a knowledgeable third party you hire attempts to break into your system and shares with you the results of the attempt.
A business system’s users, managers and auditors share responsibility for its safety under the principle of due care. Proper management of system passwords is critically important to system security.
Compelling reasons to ensure system security include not only the welfare of the organization, but its obligation to protect the privacy of confidential< information within the system.
Password management consists of more than selection of character strings not easily deduced by unauthorized parties. Various techniques, including simple precautions, can improve password security.
Managers and auditors should familiarize themselves with the tools and techniques hackers use as well as proactive countermeasures, including advanced password encryption and system security evaluations.
Before adopting a strategy, managers should understand the strengths and weaknesses of their current system and the criteria for determining whether to augment it or replace it with something more advanced.
Those efforts should not delay immediate implementation of “safe computing” practices to mitigate the risk of compromised password security.
When deciding whom to engage for help in creating or enhancing encryption functionality, managers should evaluate the knowledge, skills and abilities of in-house staff as well as those of third-party security experts.
James F. Leon, CPA, CISSP, Ed.D., is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University in DeKalb. His e-mail address is firstname.lastname@example.org.
“Managing Multiple Identities, ” Sept. 08, page 38
The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at www.aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Member Section or the CITP credential, visit www.aicpa.org/IToffers. For privacy standards, rules and regulations, visit the IT Center’s Privacy/Data Protection page at www.aicpa.org/privacy.
The IT Center also offers the following resources on information security:
Discussion Paper: Identity Management and Access Control. With the near ubiquity of computerized accounting systems, identity and access management (IAM) has become a critical entity-level control functioning both at the system and application levels. This article introduces the related concepts of Identity Management and Access Control and discusses why they are so crucial for CPAs to understand.
Java Developer Resources, java.sun.com
LAN Manager, aka “LM,” tinyurl.com/dkaa5f
Message Digest Algorithm 5, aka “MD5,” tools.ietf.org/html/rfc1321
Secure Hash Algorithm 1, aka “SHA-1,” tinyurl.com/dmsxah
Gramm-Leach-Bliley Act, tinyurl.com/8k3e6
Health Insurance Portability and Accountability Act (HIPAA), tinyurl.com/8odm7e
AICPA tally of states and territories that have enacted legislation governing data security breaches, tinyurl.com/bdy9wq
Payment Card Industry Data Security Standard (PCIDSS), tinyurl.com/d9xcbs