Evaluation of Passwords
By Chlotia P. GarrisonMAY 2008 - Electronic data storage, although convenient, increases the opportunity for unauthorized persons to improperly access data. Accountants often have access to personal information that, if compromised, could make clients and employees susceptible to identity theft, potentially damaging their reputation and leading to legal liability.
According to the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm), more than 220 million data breaches of personal information occurred between January 10, 2005, and March 24, 2008, nearly 160 million of which involved hacking. These breaches occurred at a variety of organizations, from schools and financial institutions to government agencies and even the AICPA.
Most document management systems have some form of password security, but weak passwords increase the probability that a hacker can gain access to a system. The best defense is to have a strong password that cannot be easily hacked. Many individuals are unaware of how easy it would be for security to be compromised by a password that a hacker could crack in a relatively short period of time.
At a CPA continuing education technology conference, the session leader asked the attendees of a computer security session to write down their passwords to determine their vulnerability. Only one participant questioned the validity of providing the password, and everyone shared their password with someone they had never seen before. It is a basic security measure that passwords should not be shared. The ease with which participants revealed their passwords may be surprising, but multiple surveys have shown that this is a common occurrence. Biometric technology is not mature enough to replace passwords, and many companies are unable or unwilling to spend the money needed for automatic password systems. The burden, therefore, often falls on the user to select strong passwords and keep them confidential.
An analysis of the passwords received from the computer security session revealed the following:
Exhibit 1 identifies the number of participants with passwords containing upper- and lower-case letters, symbols, numbers, or a dictionary word.
“Cracker,” “breaker,” or “recovery” software is readily available to hackers, allowing them to test thousands or even millions of passwords per second. Some software uses only the brute-force method, which tests every combination of letters, numbers, and symbols. Most password-cracking software works faster by supplementing this capability, for example with a dictionary cracker that tests passwords against known words in various languages. Additional software features may uncover cached passwords, analyze routing protocols, try sequences of adjacent keys on a keyboard, test common passwords, or use network sniffers or encryption key crackers.
Evaluating the 35 passwords obtained at the CPA technology conference reveals a need to enforce strong-password policies. Almost half (48.6%) could be cracked in less than one week. Another 20% could be cracked in one to four months. Only 31% of participants had passwords that would take several years to crack using the brute- force method. Using multiple computers and supplemental methods would shorten the time. Exhibit 2 presents the length of time to crack the passwords in six categories, ranging from one minute to greater than nine years. Exhibit 3 shows the effects of various password characteristics on brute-force cracking time.
Require passwords to be a minimum of eight characters. Passwords of less than eight characters can easily be cracked using the slowest brute-force method. Even with a combination of upper- and lower-case letters, numbers, and symbols, the longest time to crack a six-character password is roughly five hours.
Do not use dictionary words, acronyms, or common permutations in any language. Dictionaries can be downloaded for free in multiple languages, and enhanced wordlists created specifically for use with cracking software are also available.
Require passwords to contain upper- and lower-case letters, numbers, and symbols. A potential hacker would likely give up before a password of sufficient length containing these characteristics is cracked. Capital letters, numbers, and symbols should not just be used at the beginning or end of a password because the software recognizes this as a common pattern, which shortens the cracking time.
Do not use personal information. Cracking software will try permutations of usernames. It is also easy to obtain personal information such as a user’s address, birthdate, or names of family members.
Limit the number of times a person can incorrectly enter a password. Limiting the number of authentication attempts that can be performed in a certain timeframe prevents password-cracking software from trying thousands of passwords per second. Systems commonly accept three failed attempts before locking a user out of the system.
Restrict document access. Like paper documents stored in locking cabinets, electronic files should be restricted to allow access only to authorized users. Sensitive information should be compartmentalized so a person can access only the information needed.
Chlotia P. Garrison, PhD, is an assistant professor of computer science, specializing in software engineering, at Winthrop University, Rock Hill, S.C.