Password Management Strategies for Safer Systems

Foil hackers. Strengthen and protect your systems’ passwords.

July 2009
by James Leon/Journal of Accountancy

All of your business systems’ users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don’t ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information.

Recent years have seen a surge in the sophistication and volume of hacker attempts to gain unauthorized access to online proprietary corporate information and processes. Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account.

Such requirements do improve security. But because fraudsters stand to gain — perhaps greatly — they continue to devise ingenious and often very successful ways to decode, or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers’ various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords.

This article discusses techniques for preserving the security of passwords that control access to a system. It complements Managing Multiple Identities, which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain equally to an organization’s employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations.

Maintaining Secrecy

The system administrator is responsible for maintaining all passwords in a table and for employing due diligence to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user’s ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. If they match, the system admits the user.

This article has been excerpted from the Journal of Accountancy. View the full article here.