Co-authored by Matthew Losanno and Emmett Jorgensen
Sony Breach Highlights the Importance of Securely Storing Passwords
Most people in IT circles understand the importance of a strong password. We're reminded constantly, every time we set up a new account or are reminded to change our password on a website or our corporate computers.
Some sites even have a meter telling us if the password is considered weak or strong, with tips on how to make it stronger and more secure.
But have you ever stopped to wonder how the website or application you are using knows your password is correct? Simple, it stores a copy of your password (whether as a hash, encrypted, or in plain text) in order to verify a match every time you login.
Essentially there are two versions to every password; the password that the user enters at the login screen, and the password stored on the website/server for authentication.
This, of course, begs the question; how secure is the location of the password stored for authentication?
As the recent Sony breach demonstrates, securely storing the password is just as, if not more, important than the strength of the password itself. In this article recently posted by CNET, Lulzsec, the group claiming responsibility for the most recent breach states, "This target gave us LOLs as it provided internal release dates of records, barcodes, sales reports, and plaintext Sony employee passwords."
This serves as a strong reminder that it doesn't matter how strong your password is if the corresponding authentication password is stored in plaintext. If a hacker knows that the password for your SQL database is stored as plaintext in a file, that's the first place they'll check. After all, why try to guess a password if you can just copy and paste it?
A good example of unsecure password storage is LANMAN or LM Hash. Many of you may know about LANMAN. It stands for Local Area Network Manager and was developed by Microsoft.
When networks first emerged, LANMAN was developed as a common denominator for storing your user password. Since each different vendor stored passwords in a proprietary encryption, this method allowed password exchange between other non-Microsoft networks.
LANMAN is now obsolete, and is disabled by default on Windows Vista, Windows 7, and Server 2003+. This is because LANMAN commits several security mistakes. First, that password you created that is super-strong (20+ characters with upper and lower case letters, numbers and symbols) gets stripped down.
The password is cut off after 14 characters. All the lowercase characters are converted to uppercase and if the password is less than 14 characters it gets padded (with one character repeating until a length of 14 is reached).
To make matters worse, it is encrypted with DES, which is no longer considered secure.
I'm not trying to discredit LANMAN, since that has been thoroughly accomplished already. The point I'm trying to make is that a security measure (password, encryption, etc.) is only as strong as its weakest link. That is why it is important to make sure that the password is strong and its storage location is properly protected as well.
Secure password storage is crucial to any secure system. From sites such as Sony, to operating systems, to data backups on encrypted hard drives or thumb drives, if the password is in plaintext your account and data is not safe.
One method of confirming the security of a system is through the use of common industry guidelines. FIPS 140-2 and Common Criteria are two standards that make a good baseline for your metrics. These standards have minimum requirements that must be met to achieve certification.
Although certifications like FIPS 140-2 and Common Criteria are an excellent starting point, common industry standards won't always protect you. Sony was reportedly hacked with a simple SQL injection.
In the secure USB world, Sony, Verbatim, and Kingston met some of the minimum requirements for FIPS 140-2 and were subjected to a devastating password matching flaw.
In addition to industry guidelines, it is important to work with companies that have a good track record with security products. Ask a lot of questions and use some common sense. Remember, it doesn't matter how many locks are on the front door if the back door is left open.
Matthew Losanno is a senior product manager at Kanguru Solutions specializing in security, integration, and development.