Report Highlights Need for Enterprises to Implement Proper Password Security Policies and Procedures, Treat as Highly Valuable Data.
Imperva, the data security company that recent went public, today released a report detailing the growing level of information and tools available to help hackers breach passwords, and some of the things organizations can do in order mitigate the effectiveness of password crackers.
The report, “Imperva Enterprise Password Worst Practices,” follows a 2009 report from the company on poor consumer password practices.
As part of its research, Imperva analyzed a list of nearly 100,000 passwords that were exposed following a data breach at FilmRadar.com, a website for film enthusiasts.
What did they learn? First off, FilmRadar had stored user passwords in a digested format, using the SHA1 hash function, a common method used to secure applications and protocols. But according to Imperva, storing user passwords in this manner isn’t enough.
“Contrary to common belief, cryptographic hash functions in general – whether they are SHA-1 or any other cryptographic function – are not impervious to hackers,” the report notes. “The strength of a hash function, even if mathematically proven to be unbreakable, does not play a role in the cracking game.” The security function or algorithm itself doesn’t matter so much, as attackers can bypass the cryptographic measures and guess the hashed passwords.
Rainbow tables are precomputed sets of data containing hash values from many combinations of alphanumeric characters. Although creating the rainbow tables is a lengthy process, they are created only once. When a hash value is obtained it can be quickly looked up in the table to find the corresponding password. Easy right? Yes and no. As the length of passwords grow, the process and computational power becomes increasingly difficult.
But hackers believe firmly that creating such tables are a worthwhile investment, since after the rainbow tables are generated they can be used over and over again. In its research, Imperva identified a hacker website that developed a 50 billion value rainbow table and made it available to the public.
Password cracking tools that make use of rainbow tables and dictionaries are abundant, with most available free for anyone to download. Some popular cracking tools include MD5 decrypter, Cyberwar Zone, Cain and Able, and John the Ripper.
Dictionaries. About as simple as it gets, password dictionaries list common passwords together with a pre-calculated hash value. Using the data, a hacker can compare a digest with the pre-computed values to determine a match. Dictionary attacks continue to be an effective technique to crack passwords since many people have the tendency to use common passwords.
While many consumer-oriented websites have been the subject of recent cyber attacks, including the likes of FilmRadar.Com, RockYou.Com, Sony, and many more, Imperva thinks its time for more enterprises to get more serious about password protection and treat passwords as as highly valuable data.
“Instead of consumers, we believe responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline,” explained Imperva CTO Amichai Shulman.
So what can site owners do to mitigate the effectiveness of password crackers?
To help protect against rainbow table attacks, Imperva recommends “salting”. A salt value is a random value pre-pended to the password before it gets encrypted. How is it effective? The added value increases the computational resources required to break the passwords exponentially. According to Imperva, a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold.
It’s important to know that “salting” by no means makes passwords hack-proof, it just increases the resources required to guess a password.
Other steps that Imperva recommends enterprises undertake in order to mitigate password breaches include:
Using passphrases: Allow users to choose longer passwords that are easier to remember. Passphrases provide the necessary length yet do not require the user to write down the secret on a note left on the worker’s desk.
Enforce strong password policy: This doesn’t mean just applying restrictions on the character types, but also by comparing against dictionaries used by attackers. Microsoft recently banned the usage of common passwords in Hotmail. This also means defining and banning site-specific passwords, as well as banning numerical or keyboard sequences.
While passwords are a common and convenient authentication method, when stored incorrectly they can cause many headaches in the event of a breach. Passwords in the enterprise need to be treated by developers and security teams as highly valuable data – even if other security mandates such as PCI compliance don’t apply.
The full report from Imperva is available here in PDF format.