Printer Friendly

Password management strategies for safer systems: foil hackers. Strengthen and protect your systems' passwords.

[ILLUSTRATION OMITTED]

EXECUTIVE SUMMARY

* A business system's users, managers and auditors share responsibility for its safety under the principle of due care. Proper management of system passwords is critically important to system security.

* Compelling reasons to ensure system security include not only the welfare of the organization, but its obligation to protect the privacy of confidential information within the system.

* Password management consists of more than selection of character strings not easily deduced by unauthorized parties. Various techniques, including simple precautions, can improve password security.

* Managers and auditors should familiarize themselves with the tools and techniques hackers use as well as proactive countermeasures, including advanced password encryption and system security evaluations.

* Before adopting a strategy, managers should understand the strengths and weaknesses of their current system and the criteria for determining whether to augment it or replace it with something more advanced.

* Those efforts should not delay immediate implementation of "safe computing" practices to mitigate the risk of compromised password security,

* When deciding whom to engage for help in creating or enhancing encryption functionality, managers should evaluate the knowledge, skills and abilities of in-house staff as well as those of third-party security experts.

**********

All of your business systems' users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don't ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information.

Recent years have seen a surge in the sophistication and volume of hacker attempts to gain unauthorized access to online proprietary corporate information and processes Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account.

Such requirements do improve security. But because fraudsters stand to gain--perhaps greatly--they continue to devise ingenious and often very successful ways to decode, or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers' various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords.

This article discusses techniques for preserving the security of passwords that control access to a system. It complements "Managing Multiple Identities" (JofA, Sept. 08, page 38), which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain equally to an organization's employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations.

MAINTAINING SECRECY

The system administrator is responsible for maintaining all passwords in a table and for employing due diligence to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user's ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. If they match, the system admits the user.

The risk inherent to a password table is that it could be compromised. For example, a hacker could gain unauthorized remote access to it or it could be intentionally divulged to an outsider by, perhaps, a terminated system administrator. To illustrate this, assume that XYZ Bank requires its employees to use passwords that consist of at least five numbers and uppercase or lowercase letters. The bank maintains these passwords in a password table. Exhibit 2 shows the three primary password formats available to system managers, and indicates the relative risk associated with each method. Let's discuss those alternatives in detail.

1. Clear-text passwords. As Exhibit 1 illustrates, this unencrypted format plainly reveals the system passwords to anyone who views the table. System administrators should ensure their staffs understand the danger and inadvisability of storing passwords in cleartext format.

2. Basic hash encryption. This option involves encrypting passwords before storing them in a table. One common technique involves the use of a mathematical hashing formula, which converts a user's password into an encrypted alphanumeric value. Exhibit 3 illustrates the process of hashing.

With hashing, only the user knows his or her password. The system administrator will know only the hashed value of the user's password. And if a hacker somehow were to learn that hashed value, he or she wouldn't be able to "reverse-compute" the password.

If a user forgets his or her password, he or she can request a temporary one, which the system administrator can send to the e-mail address specified in the user's system profile. To guard against misuse of the temporary password by an unauthorized person, the system should require the user to answer a previously agreed-upon question. For example, after the user keys in the temporary password, the system could ask him or her to provide his or her mother's maiden name. At this point, the system also should require the user to choose a new permanent password.

But while basic hash encryption makes passwords harder to crack, it is not a serious challenge for many hackers. That's because basic hashed values can be vulnerable to hacker attacks employing rainbow tables, which are lists of the precomputed hashed values of thousands of words that employees may have chosen as passwords.

For example, consider Exhibit 4, which shows a table of passwords that are hashed versions of those in the clear-text table in Exhibit 1. If a hacker obtained a copy of the table in Exhibit 4, he or she could compare it to a rainbow table, searching for matches. As Exhibit 4 illustrates, there's a good chance a match would be found.

Exhibit 5 illustrates the results of using Ophcrack, a hacker program that employs rainbow tables to crack passwords encoded by the LAN Manager hashing system, which Windows XP uses to encrypt and store user passwords. Windows Vista uses the NT LAN Manager (NTLM) hashing system, and recent versions of Ophcrack can decode Vista passwords.

As indicated in Exhibit 5, a hacker would be able to crack the most difficult hashed Windows XP password in less than eight minutes. Clearly, your system needs stronger protection than this; read on to see how you can obtain it.

3. Salted hash encryption. This preferred method involves the use of what is popularly known as a salt string. (In this context, "salt" is merely a metaphorical term, not an acronym.) A salt string is a random array of characters created and then attached to a user's password before hashing it. This extra step--adding salt--exponentially increases the difficulty of cracking the password. With unsalted hashing, there's a good chance one of the hacker's rainbow tables will contain a match for the password he or she is trying to deduce. But when the password contains salt--which the rainbow table probably won't contain--the odds of a match diminish, and the hacker is likely to be slowed down and stumped. Once a hacker realizes your system uses salted hashing, he or she probably will move on, searching for a system not protected by salt. Exhibit 6 illustrates the use of salt in a hashing system. Sometimes the best defense is one that persuades an attacker to look for a different target.

IMPLEMENTING SECURE PASSWORD MANAGEMENT

1. Start by developing a full understanding of how your computer system stores passwords. Some systems are configured to automatically perform this process; others allow system administrators to implement their own password storage procedures. In either case, the resulting encryption must be strong enough to prevent hackers from decrypting passwords. As the examples demonstrate, sophisticated hackers can use rainbow tables and other techniques to defeat mediocre encryption.

2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely. At a minimum, your system should encrypt all passwords and require that they contain at least eight random characters, comprising one or more numerals and a mixture of uppercase and lowercase letters. These dual precautions address two risks to password security. First, encryption conceals the contents of the password table from anyone who gains unauthorized access to it. Second, ensuring that passwords consist of diverse and conceptually unrelated characters (for example, "H553f83" instead of "Giants") makes it more difficult for a nearby surreptitious observer to detect a password's characters as the user keys them in, and it strengthens passwords against dictionary attacks.

3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum. For example, software coding platforms, such as Java and Microsoft.Net, offer encryption capabilities that are economical, do-it-yourself ways to design and implement a better encryption system--provided, of course, that you or someone in your organization has the requisite ability and knowledge.

If such skills are not available to you in-house, you could hire a consultant. The consultant's programming code will control access to your system, so be sure he or she is skilled in secure coding practices involving encryption. Also, find out whether your vendor offers an upgrade that would strengthen your system's encryption and make your passwords more secure.

Before you choose a strategy, carefully compare the relative costs and benefits of each option. Remember that the financial impact of a security breach caused by inadequate encryption could far exceed the expense of implementing a fully effective system.

4. If your assessment reveals that you need an entirely new password management system, look for "yes" answers to each of the following four questions when you evaluate products. Does each system under consideration:

a. Encrypt and salt passwords when storing them?

b. Hide passwords with asterisks when users key them during login?

c. Log out users after a certain period of inactivity?

d. Lock out users after a small number (for example, 3 to 5) of failed login attempts?

5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test. This is an exercise in which a knowledgeable third party you hire does his or her best to break into your system, and then shares with you the results. Intentionally exposing your system to whichever approaches and techniques such experts use is the best way to see how well your system would defend itself against an actual hacker attack. Such information is invaluable; money paid to obtain it is well spent.

Disclaimer: This article discusses only some of the various encryption systems in use, and the recommendations it offers are only suggestions. Do not use them without carefully considering their suitability for your particular circumstances.

AICPA RESOURCES

JofA article

"Managing Multiple Identities," Sept. 08, page 38

IT Center and CITP credential

The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at www.aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional (CITP) credential. For more information about the IT Member Section or the CITP credential, visit www.aicpa.org/IToffers. For privacy standards, rules and regulations, visit the IT Center's Privacy/Data Protection page at www.aicpa.org/privacy.

The IT Center also offers the following resources on information security:

* Relevant and Practical Application to Access & Identity Management (tinyurl.com/dmruge). This article explores issues related to the management of access and identity within an organization. Areas covered in the paper include overseeing how employees, customers and clients access your systems and the difference between success and disaster.

* Discussion Paper: Identity Management and Access Control (tinyurl.com/cvk8jx). With the near ubiquity of computerized accounting systems, identity and access management (IAM) has become a critical entity-level control functioning both at the system and application levels. This article introduces the related concepts of Identity Management and Access Control and discusses why they are so crucial for CPAs to understand.

OTHER RESOURCES

System Security Development Tools

* Java Developer Resources, java.sun.com

* Microsoft.NET, tinyurl.com/5jggnp

Hashing Formulas

* LAN Manager, aka "LM," tinyurl.com/dkaa5f

* Message Digest Algorithm 5, aka "MD5," tools.ieff.org/html/rfc1321

* Secure Hash Algorithm 1, aka "SHA-1," tinyurl.com/dmsxah

Federal Laws

* Gramm-Leach-Bliley Act, tinyurl.com/8k3e6

* Health Insurance Portability and Accountability Act (HIPAA), tinyurl.com/8odm7e

State Laws

AICPA tally of states and territories that have enacted legislation governing data security breaches, tinyurl.com/bdygwq

Industry Guideline

* Payment Card Industry Data Security Standard (PCIDSS), tinyurl.com/d9xcbs

James F. Leon, CPA, CISSP, Ed.D., is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University in DeKalb. His e-mail address is jimleon@cs.niu.edu.
Exhibit 1
Password Table

User Name Clear-Text Password

Amy Jhjklhf
Betty Giants
Jenny Giants
Karen rollinriver
Mike Imhappy
Nancy H553f83
Steve pizzalover63
Tom Giants
William Mypass

Exhibit 2
Know Your Exposure

Password Format Risk Exposure

Clear Text High
Basic Hash Encryption Medium
Salted Hash Encryption Low

Exhibit 3 Hashing Is Better:
Here's How It Works

Assume XYZ Bank employee Betty chooses the password "Giants." The
hashing process converts "Giants" into "66tt." (In practice, hashed
values typically are longer than this.)

Useer's Password: "Giants"

[down arrow]

Hashing Function (encryption only; no decryption)

[down arrow]

Hashed Value: "66tt"

Exhibit 4

Hashed Passwords:
Vulnerable to Rainbow Tables

The password table (below, left) contains a hypothetical hashed
value of each password in the clear-text table in Exhibit 1. Below,
on the right, is a sample rainbow table. A hacker would compare
these two tables, seeking matches. If a match is identified, the
hacker could deduce the employee's password. In this case, the
hacker would see that "66tt" is the hashed value of Betty's
password, "Giants." To make matters worse, the hacker also would
see that Jenny's and Tom's hashed password values are "66tt,"
meaning their clear-text passwords also are "Giants." Armed with
that information, the hacker would easily be able to log into
Betty's, Jenny's and Tom's accounts.

Bank's Password Table

User Name Hashed
 Password

Amy N51hf
Betty 66tt
Jenny 66tt
Karen Iurasdfb
Mike 58kotutkrt
Nancy azxs83
Steve Gpaomt
Tom 66tt
William dfs4f

Hacker's Rainbow Table

Rainbow Cracked
Value Password

Not Found
66tt Giants
66tt Giants
Not Found
Not Found
Not Found
Not Found
66tt Giants
Not Found

Exhibit 5

Ordinary Hashing Can Be
Cracked Quickly

This exhibit illustrates the clear-text passwords (column A) from
Exhibit 1, their values after being hashed (B) by LAN Manager, and
the brief amount of time (C) it would take a hacker to crack the
hashed passwords by using the hacker program Ophcrack. Cracking a
Vista password is possible, but it takes longer. The time values in
column C below were recorded by the author as he used Ophcrack to
decode the hashed passwords in column B. Anyone using Ophcrack
should have similar results.

 A B C

 User Clear-Text LAN Manager-Hashed Minutes &
 Name Password Password Seconds
 to Crack

 Amy Jhjklhf 9elc6fde38d236d0aad3b435b51404ee 3:39
 Betty Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
 Jenny Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
 Karen rollinriver fdb30d8b81af25ef6a24d62438290ba9 6:05
 Mike Imhappy af0e3973994ebb24aad3b435b51404ee 1:17
 Nancy H553f83 f6ed43566b1c84ccaad3b435b51404ee 1:30
 Steve pizzalover63 753c086c08af27e7463ofc68a98b195a 7:53
 Tom Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
William Mypass 92315c8b485693a7aad3b435b51404ee 1:48

Exhibit 6

Salted Hash: The Best Defense

XYZ Bank employee Betty uses "Giants" as her password. When she
creates it, the system will generate a random salt string (for
example, "454px") and add it to the beginning of her password,
which will become "454pxGiants." The system then will hash that
value, converting it to "zz79xt964" and placing the result in the
password table, as shown below. Although Betty, Jenny and Tom have
the same clear-text password (that is, "Giants"), each of them has
a different salted hashed version of that password.

Note: As illustrated below, the system administrator should
maximize security by storing salt values in a table separate from
the password table.

 Salt Table

User Name Salt

 Amy 7ge3g
 Betty 454px
 Jenny dh888
 Karen 757jj
 Mike Fgnj8
 Nancy 655mm
 Steve m8g6
 Tom ba52m
 William z9p00

Salted Hashed Password Table

User Name Salted Hashed
 Password

 Amy 65451hf
 Betty zz79xt964
 Jenny b2dern666tt
 Karen xcds64jfh
 Mike odsufshgnm85n
 Nancy 977nnh43h57f
 Steve uvd3hjdfg44y45
 Tom vsdm3fda259mg
 William dkhfpree33mfy
COPYRIGHT 2009 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2009 Gale, Cengage Learning. All rights reserved.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Author:Leon, James F.
Publication:Journal of Accountancy
Date:Jul 1, 2009
Words:2794
Previous Article:Supercharge your excel sum operations: add data by up to 30 criteria.
Next Article:Self-employment or other income?
Topics:


Related Articles
The 10 commandments of data security.
Computer network insecurity: how to defend your confidential files.
Confessions of an Internet hacker: Stealing your personal information was hard to resist.
Mum's the word on these passwords.
Keep your computer system safe.
Password overload syndrome.
Data leakage plan of action: time to plug up the security holes.

Terms of use | Copyright © 2015 Farlex, Inc. | Feedback | For webmasters