Password management strategies for safer systems: foil hackers. Strengthen and protect your systems' passwords.
* A business system's users, managers and auditors share responsibility for its safety under the principle of due care. Proper management of system passwords is critically important to system security.
* Compelling reasons to ensure system security include not only the welfare of the organization, but its obligation to protect the privacy of confidential information within the system.
* Password management consists of more than selection of character strings not easily deduced by unauthorized parties. Various techniques, including simple precautions, can improve password security.
* Managers and auditors should familiarize themselves with the tools and techniques hackers use as well as proactive countermeasures, including advanced password encryption and system security evaluations.
* Before adopting a strategy, managers should understand the strengths and weaknesses of their current system and the criteria for determining whether to augment it or replace it with something more advanced.
* Those efforts should not delay immediate implementation of "safe computing" practices to mitigate the risk of compromised password security,
* When deciding whom to engage for help in creating or enhancing encryption functionality, managers should evaluate the knowledge, skills and abilities of in-house staff as well as those of third-party security experts.
All of your business systems' users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don't ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information.
Recent years have seen a surge in the sophistication and volume of hacker attempts to gain unauthorized access to online proprietary corporate information and processes Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account.
Such requirements do improve security. But because fraudsters stand to gain--perhaps greatly--they continue to devise ingenious and often very successful ways to decode, or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers' various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords.
This article discusses techniques for preserving the security of passwords that control access to a system. It complements "Managing Multiple Identities" (JofA, Sept. 08, page 38), which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain equally to an organization's employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations.
The system administrator is responsible for maintaining all passwords in a table and for employing due diligence to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user's ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. If they match, the system admits the user.
The risk inherent to a password table is that it could be compromised. For example, a hacker could gain unauthorized remote access to it or it could be intentionally divulged to an outsider by, perhaps, a terminated system administrator. To illustrate this, assume that XYZ Bank requires its employees to use passwords that consist of at least five numbers and uppercase or lowercase letters. The bank maintains these passwords in a password table. Exhibit 2 shows the three primary password formats available to system managers, and indicates the relative risk associated with each method. Let's discuss those alternatives in detail.
1. Clear-text passwords. As Exhibit 1 illustrates, this unencrypted format plainly reveals the system passwords to anyone who views the table. System administrators should ensure their staffs understand the danger and inadvisability of storing passwords in cleartext format.
2. Basic hash encryption. This option involves encrypting passwords before storing them in a table. One common technique involves the use of a mathematical hashing formula, which converts a user's password into an encrypted alphanumeric value. Exhibit 3 illustrates the process of hashing.
With hashing, only the user knows his or her password. The system administrator will know only the hashed value of the user's password. And if a hacker somehow were to learn that hashed value, he or she wouldn't be able to "reverse-compute" the password.
If a user forgets his or her password, he or she can request a temporary one, which the system administrator can send to the e-mail address specified in the user's system profile. To guard against misuse of the temporary password by an unauthorized person, the system should require the user to answer a previously agreed-upon question. For example, after the user keys in the temporary password, the system could ask him or her to provide his or her mother's maiden name. At this point, the system also should require the user to choose a new permanent password.
But while basic hash encryption makes passwords harder to crack, it is not a serious challenge for many hackers. That's because basic hashed values can be vulnerable to hacker attacks employing rainbow tables, which are lists of the precomputed hashed values of thousands of words that employees may have chosen as passwords.
For example, consider Exhibit 4, which shows a table of passwords that are hashed versions of those in the clear-text table in Exhibit 1. If a hacker obtained a copy of the table in Exhibit 4, he or she could compare it to a rainbow table, searching for matches. As Exhibit 4 illustrates, there's a good chance a match would be found.
Exhibit 5 illustrates the results of using Ophcrack, a hacker program that employs rainbow tables to crack passwords encoded by the LAN Manager hashing system, which Windows XP uses to encrypt and store user passwords. Windows Vista uses the NT LAN Manager (NTLM) hashing system, and recent versions of Ophcrack can decode Vista passwords.
As indicated in Exhibit 5, a hacker would be able to crack the most difficult hashed Windows XP password in less than eight minutes. Clearly, your system needs stronger protection than this; read on to see how you can obtain it.
3. Salted hash encryption. This preferred method involves the use of what is popularly known as a salt string. (In this context, "salt" is merely a metaphorical term, not an acronym.) A salt string is a random array of characters created and then attached to a user's password before hashing it. This extra step--adding salt--exponentially increases the difficulty of cracking the password. With unsalted hashing, there's a good chance one of the hacker's rainbow tables will contain a match for the password he or she is trying to deduce. But when the password contains salt--which the rainbow table probably won't contain--the odds of a match diminish, and the hacker is likely to be slowed down and stumped. Once a hacker realizes your system uses salted hashing, he or she probably will move on, searching for a system not protected by salt. Exhibit 6 illustrates the use of salt in a hashing system. Sometimes the best defense is one that persuades an attacker to look for a different target.
IMPLEMENTING SECURE PASSWORD MANAGEMENT
1. Start by developing a full understanding of how your computer system stores passwords. Some systems are configured to automatically perform this process; others allow system administrators to implement their own password storage procedures. In either case, the resulting encryption must be strong enough to prevent hackers from decrypting passwords. As the examples demonstrate, sophisticated hackers can use rainbow tables and other techniques to defeat mediocre encryption.
2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely. At a minimum, your system should encrypt all passwords and require that they contain at least eight random characters, comprising one or more numerals and a mixture of uppercase and lowercase letters. These dual precautions address two risks to password security. First, encryption conceals the contents of the password table from anyone who gains unauthorized access to it. Second, ensuring that passwords consist of diverse and conceptually unrelated characters (for example, "H553f83" instead of "Giants") makes it more difficult for a nearby surreptitious observer to detect a password's characters as the user keys them in, and it strengthens passwords against dictionary attacks.
3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum. For example, software coding platforms, such as Java and Microsoft.Net, offer encryption capabilities that are economical, do-it-yourself ways to design and implement a better encryption system--provided, of course, that you or someone in your organization has the requisite ability and knowledge.
If such skills are not available to you in-house, you could hire a consultant. The consultant's programming code will control access to your system, so be sure he or she is skilled in secure coding practices involving encryption. Also, find out whether your vendor offers an upgrade that would strengthen your system's encryption and make your passwords more secure.
Before you choose a strategy, carefully compare the relative costs and benefits of each option. Remember that the financial impact of a security breach caused by inadequate encryption could far exceed the expense of implementing a fully effective system.
4. If your assessment reveals that you need an entirely new password management system, look for "yes" answers to each of the following four questions when you evaluate products. Does each system under consideration:
a. Encrypt and salt passwords when storing them?
b. Hide passwords with asterisks when users key them during login?
c. Log out users after a certain period of inactivity?
d. Lock out users after a small number (for example, 3 to 5) of failed login attempts?
5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test. This is an exercise in which a knowledgeable third party you hire does his or her best to break into your system, and then shares with you the results. Intentionally exposing your system to whichever approaches and techniques such experts use is the best way to see how well your system would defend itself against an actual hacker attack. Such information is invaluable; money paid to obtain it is well spent.
Disclaimer: This article discusses only some of the various encryption systems in use, and the recommendations it offers are only suggestions. Do not use them without carefully considering their suitability for your particular circumstances.
"Managing Multiple Identities," Sept. 08, page 38
IT Center and CITP credential
The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at www.aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Member Section or the CITP credential, visit www.aicpa.org/IToffers. For privacy standards, rules and regulations, visit the IT Center's Privacy/Data Protection page at www.aicpa.org/privacy.
The IT Center also offers the following resources on information security:
* Relevant and Practical Application to Access & Identity Management (tinyurl.com/dmruge). This article explores issues related to the management of access and identity within an organization. Areas covered in the paper include overseeing how employees, customers and clients access your systems and the difference between success and disaster.
* Discussion Paper: Identity Management and Access Control (tinyurl.com/cvk8jx). With the near ubiquity of computerized accounting systems, identity and access management (IAM) has become a critical entity-level control functioning both at the system and application levels. This article introduces the related concepts of Identity Management and Access Control and discusses why they are so crucial for CPAs to understand.
System Security Development Tools
* Java Developer Resources, java.sun.com
* Microsoft.NET, tinyurl.com/5jggnp
* LAN Manager, aka "LM," tinyurl.com/dkaa5f
* Message Digest Algorithm 5, aka "MD5," tools.ieff.org/html/rfc1321
* Secure Hash Algorithm 1, aka "SHA-1," tinyurl.com/dmsxah
* Gramm-Leach-Bliley Act, tinyurl.com/8k3e6
* Health Insurance Portability and Accountability Act (HIPAA), tinyurl.com/8odm7e
AICPA tally of states and territories that have enacted legislation governing data security breaches, tinyurl.com/bdygwq
* Payment Card Industry Data Security Standard (PCIDSS), tinyurl.com/d9xcbs
James F. Leon, CPA, CISSP, Ed.D., is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University in DeKalb. His e-mail address is email@example.com.
Exhibit 1 Password Table User Name Clear-Text Password Amy Jhjklhf Betty Giants Jenny Giants Karen rollinriver Mike Imhappy Nancy H553f83 Steve pizzalover63 Tom Giants William Mypass Exhibit 2 Know Your Exposure Password Format Risk Exposure Clear Text High Basic Hash Encryption Medium Salted Hash Encryption Low Exhibit 3 Hashing Is Better: Here's How It Works Assume XYZ Bank employee Betty chooses the password "Giants." The hashing process converts "Giants" into "66tt." (In practice, hashed values typically are longer than this.) Useer's Password: "Giants" [down arrow] Hashing Function (encryption only; no decryption) [down arrow] Hashed Value: "66tt" Exhibit 4 Hashed Passwords: Vulnerable to Rainbow Tables The password table (below, left) contains a hypothetical hashed value of each password in the clear-text table in Exhibit 1. Below, on the right, is a sample rainbow table. A hacker would compare these two tables, seeking matches. If a match is identified, the hacker could deduce the employee's password. In this case, the hacker would see that "66tt" is the hashed value of Betty's password, "Giants." To make matters worse, the hacker also would see that Jenny's and Tom's hashed password values are "66tt," meaning their clear-text passwords also are "Giants." Armed with that information, the hacker would easily be able to log into Betty's, Jenny's and Tom's accounts. Bank's Password Table User Name Hashed Password Amy N51hf Betty 66tt Jenny 66tt Karen Iurasdfb Mike 58kotutkrt Nancy azxs83 Steve Gpaomt Tom 66tt William dfs4f Hacker's Rainbow Table Rainbow Cracked Value Password Not Found 66tt Giants 66tt Giants Not Found Not Found Not Found Not Found 66tt Giants Not Found Exhibit 5 Ordinary Hashing Can Be Cracked Quickly This exhibit illustrates the clear-text passwords (column A) from Exhibit 1, their values after being hashed (B) by LAN Manager, and the brief amount of time (C) it would take a hacker to crack the hashed passwords by using the hacker program Ophcrack. Cracking a Vista password is possible, but it takes longer. The time values in column C below were recorded by the author as he used Ophcrack to decode the hashed passwords in column B. Anyone using Ophcrack should have similar results. A B C User Clear-Text LAN Manager-Hashed Minutes & Name Password Password Seconds to Crack Amy Jhjklhf 9elc6fde38d236d0aad3b435b51404ee 3:39 Betty Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22 Jenny Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22 Karen rollinriver fdb30d8b81af25ef6a24d62438290ba9 6:05 Mike Imhappy af0e3973994ebb24aad3b435b51404ee 1:17 Nancy H553f83 f6ed43566b1c84ccaad3b435b51404ee 1:30 Steve pizzalover63 753c086c08af27e7463ofc68a98b195a 7:53 Tom Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22 William Mypass 92315c8b485693a7aad3b435b51404ee 1:48 Exhibit 6 Salted Hash: The Best Defense XYZ Bank employee Betty uses "Giants" as her password. When she creates it, the system will generate a random salt string (for example, "454px") and add it to the beginning of her password, which will become "454pxGiants." The system then will hash that value, converting it to "zz79xt964" and placing the result in the password table, as shown below. Although Betty, Jenny and Tom have the same clear-text password (that is, "Giants"), each of them has a different salted hashed version of that password. Note: As illustrated below, the system administrator should maximize security by storing salt values in a table separate from the password table. Salt Table User Name Salt Amy 7ge3g Betty 454px Jenny dh888 Karen 757jj Mike Fgnj8 Nancy 655mm Steve m8g6 Tom ba52m William z9p00 Salted Hashed Password Table User Name Salted Hashed Password Amy 65451hf Betty zz79xt964 Jenny b2dern666tt Karen xcds64jfh Mike odsufshgnm85n Nancy 977nnh43h57f Steve uvd3hjdfg44y45 Tom vsdm3fda259mg William dkhfpree33mfy
|Printer friendly Cite/link Email Feedback|
|Author:||Leon, James F.|
|Publication:||Journal of Accountancy|
|Date:||Jul 1, 2009|
|Previous Article:||Supercharge your excel sum operations: add data by up to 30 criteria.|
|Next Article:||Self-employment or other income?|