Password management strategies for safer systems: foil hackers. Strengthen and protect your systems' passwords.[ILLUSTRATION OMITTED]EXECUTIVE SUMMARY * A business system's users, managers and auditors share responsibility for its safety under the principle of due care. Proper management of system passwords is critically important to system security. * Compelling reasons to ensure system security include not only the welfare of the organization, but its obligation to protect the privacy of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead within the system. * Password management consists of more than selection of character strings not easily deduced by unauthorized parties. Various techniques, including simple precautions, can improve password security. * Managers and auditors should familiarize themselves with the tools and techniques hackers use as well as proactive countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare. , including advanced password encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. and system security evaluations. * Before adopting a strategy, managers should understand the strengths and weaknesses of their current system and the criteria for determining whether to augment it or replace it with something more advanced. * Those efforts should not delay immediate implementation of "safe computing" practices to mitigate the risk of compromised password security, * When deciding whom to engage for help in creating or enhancing encryption functionality, managers should evaluate the knowledge, skills and abilities of in-house staff as well as those of third-party security experts. ********** All of your business systems' users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don't ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information. Recent years have seen a surge in the sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. and volume of hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. attempts to gain unauthorized access to online proprietary corporate information and processes Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account. Such requirements do improve security. But because fraudsters stand to gain--perhaps greatly--they continue to devise ingenious and often very successful ways to decode (1) To convert coded data back into its original form. Contrast with encode. (2) Same as decrypt. See cryptography. (cryptography) decode - To apply decryption. , or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers' various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords. This article discusses techniques for preserving the security of passwords that control access to a system. It complements "Managing Multiple Identities" (JofA, Sept. 08, page 38), which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain per·tain intr.v. per·tained, per·tain·ing, per·tains 1. To have reference; relate: evidence that pertains to the accident. 2. equally to an organization's employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations. MAINTAINING SECRECY The system administrator is responsible for maintaining all passwords in a table and for employing due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user's ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. If they match, the system admits the user. The risk inherent to a password table is that it could be compromised. For example, a hacker could gain unauthorized remote access to it or it could be intentionally divulged to an outsider by, perhaps, a terminated system administrator. To illustrate this, assume that XYZ XYZ interj. Informal Used to indicate to someone that the zipper of his or her pants is open. [ex(amine) y(our) z(ipper).] Bank requires its employees to use passwords that consist of at least five numbers and uppercase or lowercase letters lowercase letter n. A letter written or printed in a size smaller than and often in a form differing from its corresponding capital letter. [From their storage in the lower of two trays used by compositors.] . The bank maintains these passwords in a password table. Exhibit 2 shows the three primary password formats available to system managers, and indicates the relative risk associated with each method. Let's discuss those alternatives in detail. 1. Clear-text passwords. As Exhibit 1 illustrates, this unencrypted format plainly reveals the system passwords to anyone who views the table. System administrators should ensure their staffs understand the danger and inadvisability in·ad·vis·a·ble adj. Not recommended; unwise: Running on the ice is inadvisable. in of storing passwords in cleartext format. 2. Basic hash encryption. This option involves encrypting passwords before storing them in a table. One common technique involves the use of a mathematical hashing Creating hash totals or hash tables. See hash total and hash table. hashing - hash coding formula, which converts a user's password into an encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science alphanumeric alphanumeric (ăl'fən  mĕr`ĭk) or alphameric (ăl'fəmĕr`ĭk), the set of letters and numbers. value. Exhibit 3 illustrates the process
of hashing.
With hashing, only the user knows his or her password. The system administrator will know only the hashed value of the user's password. And if a hacker somehow were to learn that hashed value, he or she wouldn't be able to "reverse-compute" the password. If a user forgets his or her password, he or she can request a temporary one, which the system administrator can send to the e-mail address See Internet address. e-mail address - electronic mail address specified in the user's system profile. To guard against misuse of the temporary password by an unauthorized person, the system should require the user to answer a previously agreed-upon question. For example, after the user keys in the temporary password, the system could ask him or her to provide his or her mother's maiden name maiden name n. A woman's family name before she is married. Used of a surname that is replaced by a woman when she marries. Also called birth name. . At this point, the system also should require the user to choose a new permanent password. But while basic hash encryption makes passwords harder to crack, it is not a serious challenge for many hackers. That's because basic hashed values can be vulnerable to hacker attacks employing rainbow tables A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible. , which are lists of the precomputed hashed values of thousands of words that employees may have chosen as passwords. For example, consider Exhibit 4, which shows a table of passwords that are hashed versions of those in the clear-text table in Exhibit 1. If a hacker obtained a copy of the table in Exhibit 4, he or she could compare it to a rainbow table, searching for matches. As Exhibit 4 illustrates, there's a good chance a match would be found. Exhibit 5 illustrates the results of using Ophcrack, a hacker program that employs rainbow tables to crack passwords encoded by the LAN Manager (1) A network operating system from Microsoft that runs as a server application under OS/2. It supports DOS, Windows and OS/2 clients. LAN Manager was superseded by Windows NT Server, and many parts of LAN Manager are used in Windows NT and 2000. See LAN Server. hashing system, which Windows XP The previous client version of Windows. XP was a major upgrade to the client version of Windows 2000 with numerous changes to the user interface. XP improved support for gaming, digital photography, instant messaging, wireless networking and sharing connections to the Internet. uses to encrypt See encryption. and store user passwords. Windows Vista The current version of Windows for the desktop. It was released in late 2006 for businesses and early 2007 for consumers. Vista adds numerous features, including improved security and advanced multimedia capabilities. uses the NT LAN Manager (NTLM NTLM NT LAN Manager (Microsoft Windows) ) hashing system, and recent versions of Ophcrack can decode Vista passwords. As indicated in Exhibit 5, a hacker would be able to crack the most difficult hashed Windows XP password in less than eight minutes. Clearly, your system needs stronger protection than this; read on to see how you can obtain it. 3. Salted hash encryption. This preferred method involves the use of what is popularly known as a salt string. (In this context, "salt" is merely a metaphorical term, not an acronym acronym: see abbreviation. A word typically made up of the first letters of two or more words; for example, BASIC stands for "Beginners All purpose Symbolic Instruction Code. .) A salt string is a random array of characters created and then attached to a user's password before hashing it. This extra step--adding salt--exponentially increases the difficulty of cracking the password. With unsalted hashing, there's a good chance one of the hacker's rainbow tables will contain a match for the password he or she is trying to deduce de·duce tr.v. de·duced, de·duc·ing, de·duc·es 1. To reach (a conclusion) by reasoning. 2. To infer from a general principle; reason deductively: . But when the password contains salt--which the rainbow table probably won't contain--the odds of a match diminish, and the hacker is likely to be slowed down and stumped stump n. 1. The part of a tree trunk left protruding from the ground after the tree has fallen or has been felled. 2. . Once a hacker realizes your system uses salted hashing, he or she probably will move on, searching for a system not protected by salt. Exhibit 6 illustrates the use of salt in a hashing system. Sometimes the best defense is one that persuades an attacker to look for a different target. IMPLEMENTING SECURE PASSWORD MANAGEMENT 1. Start by developing a full understanding of how your computer system stores passwords. Some systems are configured to automatically perform this process; others allow system administrators to implement their own password storage procedures. In either case, the resulting encryption must be strong enough to prevent hackers from decrypting passwords. As the examples demonstrate, sophisticated hackers can use rainbow tables and other techniques to defeat mediocre encryption. 2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely. At a minimum, your system should encrypt all passwords and require that they contain at least eight random characters, comprising one or more numerals and a mixture of uppercase and lowercase letters. These dual precautions address two risks to password security. First, encryption conceals the contents of the password table from anyone who gains unauthorized access to it. Second, ensuring that passwords consist of diverse and conceptually unrelated characters (for example, "H553f83" instead of "Giants") makes it more difficult for a nearby surreptitious SURREPTITIOUS. That which is done in a fraudulent stealthy manner. observer to detect a password's characters as the user keys them in, and it strengthens passwords against dictionary attacks A brute force attack that uses common words as possible passwords or decryption keys and may provide a more efficient way of discovering the user's code. Sophisticated dictionary attacks sort words by frequency of use and start with the most likely possibilities; for example, names of . 3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum. For example, software coding platforms, such as Java and Microsoft.Net, offer encryption capabilities that are economical, do-it-yourself ways to design and implement a better encryption system--provided, of course, that you or someone in your organization has the requisite ability and knowledge. If such skills are not available to you in-house, you could hire a consultant. The consultant's programming code will control access to your system, so be sure he or she is skilled in secure coding practices involving encryption. Also, find out whether your vendor offers an upgrade that would strengthen your system's encryption and make your passwords more secure. Before you choose a strategy, carefully compare the relative costs and benefits of each option. Remember that the financial impact of a security breach caused by inadequate encryption could far exceed the expense of implementing a fully effective system. 4. If your assessment reveals that you need an entirely new password management system, look for "yes" answers to each of the following four questions when you evaluate products. Does each system under consideration: a. Encrypt and salt passwords when storing them? b. Hide passwords with asterisks when users key them during login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. ? c. Log out users after a certain period of inactivity? d. Lock out users after a small number (for example, 3 to 5) of failed login attempts? 5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, . This is an exercise in which a knowledgeable third party you hire does his or her best to break into your system, and then shares with you the results. Intentionally exposing your system to whichever approaches and techniques such experts use is the best way to see how well your system would defend itself against an actual hacker attack. Such information is invaluable; money paid to obtain it is well spent. Disclaimer: This article discusses only some of the various encryption systems in use, and the recommendations it offers are only suggestions. Do not use them without carefully considering their suitability for your particular circumstances. AICPA AICPA See American Institute of Certified Public Accountants (AICPA). RESOURCES JofA article "Managing Multiple Identities," Sept. 08, page 38 IT Center and CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. credential The Information Technology (IT) Center provides a venue for CPAs, their clients, employers and customers to research, monitor, assess, educate and communicate the impact of technology developments on business solutions. Visit the IT Center at www.aicpa.org/INFOTECH. Members who want to maximize information technology to increase efficiency and boost profits may be interested in joining the IT Member Section or pursuing the Certified Information Technology Professional Certified Information Technology Professional (CITP) is a Certified Public Accountant recognized for their technology expertise and unique ability to bridge the gap between business and technology. (CITP) credential. For more information about the IT Member Section or the CITP credential, visit www.aicpa.org/IToffers. For privacy standards, rules and regulations, visit the IT Center's Privacy/Data Protection page at www.aicpa.org/privacy. The IT Center also offers the following resources on information security: * Relevant and Practical Application to Access & Identity Management (tinyurl.com/dmruge). This article explores issues related to the management of access and identity within an organization. Areas covered in the paper include overseeing how employees, customers and clients access your systems and the difference between success and disaster. * Discussion Paper: Identity Management and Access Control (tinyurl.com/cvk8jx). With the near ubiquity Ubiquity See also Omnipresence. Burma-Shave their signs seen as “verses of the wayside throughout America.” [Am. Commerce and Folklore: Misc. of computerized accounting systems, identity and access management (IAM IAM - Interactive Algebraic Manipulation. Interactive symbolic mathematics for PDP-10. ["IAM, A System for Interactive Algebraic Manipulation", C. Christensen et al, Proc Second Symp Symb Alg Manip, ACM Mar 1971]. ) has become a critical entity-level control functioning both at the system and application levels. This article introduces the related concepts of Identity Management and Access Control and discusses why they are so crucial for CPAs to understand. OTHER RESOURCES System Security Development Tools * Java Developer Resources, java.sun.com * Microsoft.NET, tinyurl.com/5jggnp Hashing Formulas * LAN Manager, aka "LM," tinyurl.com/dkaa5f * Message Digest A condensed text string that has been distilled from the contents of a text message. Its value is derived using a one-way hash function and is used to create a digital signature. See digital signature and MD5. Algorithm 5, aka "MD5," tools.ieff.org/html/rfc1321 * Secure Hash Algorithm (algorithm, cryptography) Secure Hash Algorithm - (SHA) A one-way hash function developped by NIST and defined in standard FIPS 180. SHA-1 is a revision published in 1994; it is also described in ANSI standard X9.30 (part 2). 1, aka "SHA-1," tinyurl.com/dmsxah Federal Laws * Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition , tinyurl.com/8k3e6 * Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), tinyurl.com/8odm7e State Laws AICPA tally of states and territories that have enacted legislation governing data security breaches, tinyurl.com/bdygwq Industry Guideline * Payment Card Industry Data Security Standard (PCIDSS PCIDSS Payment Card Industry Data Security Standards ), tinyurl.com/d9xcbs James F. Leon, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. , Ed.D., is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University in DeKalb. His e-mail address is jimleon@cs.niu.edu.
Exhibit 1
Password Table
User Name Clear-Text Password
Amy Jhjklhf
Betty Giants
Jenny Giants
Karen rollinriver
Mike Imhappy
Nancy H553f83
Steve pizzalover63
Tom Giants
William Mypass
Exhibit 2
Know Your Exposure
Password Format Risk Exposure
Clear Text High
Basic Hash Encryption Medium
Salted Hash Encryption Low
Exhibit 3 Hashing Is Better:
Here's How It Works
Assume XYZ Bank employee Betty chooses the password "Giants." The
hashing process converts "Giants" into "66tt." (In practice, hashed
values typically are longer than this.)
Useer's Password: "Giants"
[down arrow]
Hashing Function (encryption only; no decryption)
[down arrow]
Hashed Value: "66tt"
Exhibit 4
Hashed Passwords:
Vulnerable to Rainbow Tables
The password table (below, left) contains a hypothetical hashed
value of each password in the clear-text table in Exhibit 1. Below,
on the right, is a sample rainbow table. A hacker would compare
these two tables, seeking matches. If a match is identified, the
hacker could deduce the employee's password. In this case, the
hacker would see that "66tt" is the hashed value of Betty's
password, "Giants." To make matters worse, the hacker also would
see that Jenny's and Tom's hashed password values are "66tt,"
meaning their clear-text passwords also are "Giants." Armed with
that information, the hacker would easily be able to log into
Betty's, Jenny's and Tom's accounts.
Bank's Password Table
User Name Hashed
Password
Amy N51hf
Betty 66tt
Jenny 66tt
Karen Iurasdfb
Mike 58kotutkrt
Nancy azxs83
Steve Gpaomt
Tom 66tt
William dfs4f
Hacker's Rainbow Table
Rainbow Cracked
Value Password
Not Found
66tt Giants
66tt Giants
Not Found
Not Found
Not Found
Not Found
66tt Giants
Not Found
Exhibit 5
Ordinary Hashing Can Be
Cracked Quickly
This exhibit illustrates the clear-text passwords (column A) from
Exhibit 1, their values after being hashed (B) by LAN Manager, and
the brief amount of time (C) it would take a hacker to crack the
hashed passwords by using the hacker program Ophcrack. Cracking a
Vista password is possible, but it takes longer. The time values in
column C below were recorded by the author as he used Ophcrack to
decode the hashed passwords in column B. Anyone using Ophcrack
should have similar results.
A B C
User Clear-Text LAN Manager-Hashed Minutes &
Name Password Password Seconds
to Crack
Amy Jhjklhf 9elc6fde38d236d0aad3b435b51404ee 3:39
Betty Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
Jenny Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
Karen rollinriver fdb30d8b81af25ef6a24d62438290ba9 6:05
Mike Imhappy af0e3973994ebb24aad3b435b51404ee 1:17
Nancy H553f83 f6ed43566b1c84ccaad3b435b51404ee 1:30
Steve pizzalover63 753c086c08af27e7463ofc68a98b195a 7:53
Tom Giants 4a24a40dfoa37fd3aad3b435b51404ee 3:22
William Mypass 92315c8b485693a7aad3b435b51404ee 1:48
Exhibit 6
Salted Hash: The Best Defense
XYZ Bank employee Betty uses "Giants" as her password. When she
creates it, the system will generate a random salt string (for
example, "454px") and add it to the beginning of her password,
which will become "454pxGiants." The system then will hash that
value, converting it to "zz79xt964" and placing the result in the
password table, as shown below. Although Betty, Jenny and Tom have
the same clear-text password (that is, "Giants"), each of them has
a different salted hashed version of that password.
Note: As illustrated below, the system administrator should
maximize security by storing salt values in a table separate from
the password table.
Salt Table
User Name Salt
Amy 7ge3g
Betty 454px
Jenny dh888
Karen 757jj
Mike Fgnj8
Nancy 655mm
Steve m8g6
Tom ba52m
William z9p00
Salted Hashed Password Table
User Name Salted Hashed
Password
Amy 65451hf
Betty zz79xt964
Jenny b2dern666tt
Karen xcds64jfh
Mike odsufshgnm85n
Nancy 977nnh43h57f
Steve uvd3hjdfg44y45
Tom vsdm3fda259mg
William dkhfpree33mfy
|
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion