Computerworld - It's unprofessional to break down and sob during a meeting, but I came pretty close a few times this week as I finally began to understand the details of the IT security systems and processes my new company uses to protect itself.
I'm fairly new here, so there's a lot I still don't know. But it wasn't long before it became clear to me that things are deeply wrong. It seems like every week, I uncover layer upon layer of seemingly minor issues that undermine a lot of what we do.
This week, it was passwords. The main problem is that they're easily guessed and frequently shared. My security team continually tells users that they must pick strong passwords and not share them. But we've been unclear with users about what counts as a strong password because we've been unsure about it ourselves.
Most computer systems store a one-way encrypted password in a database. When you attempt to log in, they encrypt what you type and compare that to the stored value. If both match, the system logs you in.
If an attacker can connect to a server, he can attempt to guess the password by just trying various words; password, secret and jamesbond are favorites. But if an attacker can steal the encrypted list or password file, he can launch a more insidious attack. Instead of connecting to the server -- a slow and sometimes detectable process -- he can take a dictionary of common words and encrypt them using the same process as the server and store each in a lookup table.
If an attacker wanted to break into more than one operating system, he'd need one table for Windows servers and three for the three main kinds of Unix. Then, once he'd stolen the encrypted passwords, he could just look in the table and see which word each matched.
A hacker launching an online attack is likely to make a few hundred guesses before he's spotted or moves on. But an off-line attack can cover hundreds of thousands of passwords every second.
The problem is that operating systems' core method of storing passwords hasn't changed for many years, but the speed of computers has increased thousands of times. It has reached the point where if your encrypted Windows password file is stolen, even a low-end hacker has enough computing power to break it in a few days.
It would be nice to be able to make sure that nobody can access our password file and to teach
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
