Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How to create a secure password system
Ask The Security Expert: Questions & Answers
EMAIL THIS

How to create a secure password system

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 04 November 2005
I am a senior information security director. My company wants to use the last four digits of an employee's social security number, mother's maiden name and city of birth for a project's password authentication system. What security issues should I be concerned with, if any, when we use this information (particularly the last four digits of the SSN)?

>
There are some huge security risks in the system you describe. The least of which is the use of part of the social security number.

Depending on the size and location of your organization, the proposed authentication system could have enough duplication to be exploited by a hacker. There could easily be two, or more, people both having a common last name, like "Smith," as their mother's maiden name, and both born in the same city. If your organization is located in a large city, these duplicate combinations could be even more common than expected.

It would be trivial for an attacker to write a script to iterate over a list of common last names and city names to crack this password system. The last four digits of the social security number, which aren't likely to be duplicated, still pose a problem, privacy issues aside. There are only 10,000 iterations between 0000 and 9999, which a script can run over in a fraction of a second. So, four digits of the social security number is no barrier to the determined intruder.

If the intruder was a clever social engineer and had done his or her homework and was able to get a list of your employee's names, before even writing a script, this would be lethal. The attacker could then write a finely honed script with those user names and narrow down their search for passwords and have unfettered access to your systems.

These types of attacks that use scripts iterating over common words and names are called dictionary attacks because the information can be acquired from a dictionary.

I recommend using something less common and more cryptic to identify your users for a password system. Look for some combination of internal employee numbers that aren't used outside the company mixed with other less common identifiers than names (mother's maiden name or otherwise) and cities. And, of course, make sure that whatever you use is longer than eight characters and contains a mix of letters and numbers, and no easily recognizable words or common names.

There isn't a magical formula that provides a secure password system with employee identifiers. However, the proposed system is weak, at best.

More Information
  • Find out why using IE's password manager might be a bad idea.
  • Learn more about cracking passwords in our resource center.


    • BROWSE BY TAG
    Identity Management and Access Control,   Password Management and Policy,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Security Awareness Training and Internal Threats,   Information Security Management,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Password Management and Policy
    Two-factor authentication, vigilance foil password theft
    Group to shed light on secure identity management threats
    Brute force attacks target Yahoo email accounts
    Best Identity and Access Management Products
    Privileged account management critical to data security
    Making the case for enterprise IAM centralized access control
    How to prevent brute force webmail attacks
    Best practices for a privileged access policy to secure user accounts
    Mature SIMs do more than log aggregation and correlation
    PCI compliance requirement 2: Defaults

    Security Awareness Training and Internal Threats
    Creating a HIPAA employee training program
    Successful rogue antivirus hinges on social engineering
    External attacks start with unintentional mistakes, survey finds
    Security technologies fail to address insider threat management
    Data breach avoidance begins with security basics, panel says
    Monitoring program data and internal controls for risk management
    Software security threats and employee awareness training
    Twitter risks, Facebook threats trouble security pros
    Social engineering training could disrupt botnet growth
    How to write a risk methodology that blends business, security needs

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    graphical password  (SearchSecurity.com)
    identity chaos  (SearchSecurity.com)
    logon  (SearchSecurity.com)
    masquerade  (SearchSecurity.com)
    OpenID  (WhatIs.com)
    salt  (SearchSecurity.com)
    session replay  (SearchSecurity.com)
    single-factor authentication (SFA)  (SearchSecurity.com)
    TACACS  (SearchSecurity.com)
    war dialer  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts