Academic journal article Journal of Accountancy

Password Management Strategies for Safer Systems: Foil Hackers. Strengthen and Protect Your Systems' Passwords

Academic journal article Journal of Accountancy

Password Management Strategies for Safer Systems: Foil Hackers. Strengthen and Protect Your Systems' Passwords

Article excerpt

[ILLUSTRATION OMITTED]

EXECUTIVE SUMMARY

* A business system's users, managers and auditors share responsibility for its safety under the principle of due care. Proper management of system passwords is critically important to system security.

* Compelling reasons to ensure system security include not only the welfare of the organization, but its obligation to protect the privacy of confidential information within the system.

* Password management consists of more than selection of character strings not easily deduced by unauthorized parties. Various techniques, including simple precautions, can improve password security.

* Managers and auditors should familiarize themselves with the tools and techniques hackers use as well as proactive countermeasures, including advanced password encryption and system security evaluations.

* Before adopting a strategy, managers should understand the strengths and weaknesses of their current system and the criteria for determining whether to augment it or replace it with something more advanced.

* Those efforts should not delay immediate implementation of "safe computing" practices to mitigate the risk of compromised password security,

* When deciding whom to engage for help in creating or enhancing encryption functionality, managers should evaluate the knowledge, skills and abilities of in-house staff as well as those of third-party security experts.

**********

All of your business systems' users have confidential passwords. Does that mean your system and its contents are safe? Definitely not. As this article explains, organizations that don't ensure the ongoing security of their passwords are exposing themselves to fraud and potential liability by failing to protect confidential information.

Recent years have seen a surge in the sophistication and volume of hacker attempts to gain unauthorized access to online proprietary corporate information and processes Moreover, a growing list of federal, state and local laws and regulations requires organizations to safeguard the privacy of customer and employee data in their systems. In response, system managers have had to impose strict measures governing the creation and periodic revision of passwords, as well as the number of incorrect attempts to enter a password the system will allow before it locks the user out of the account.

Such requirements do improve security. But because fraudsters stand to gain--perhaps greatly--they continue to devise ingenious and often very successful ways to decode, or crack, employee and/or customer passwords. To help you defeat such attacks, this article explains hackers' various techniques and illustrates detailed countermeasures that can foil most, if not all, attempts to crack your passwords.

This article discusses techniques for preserving the security of passwords that control access to a system. It complements "Managing Multiple Identities" (JofA, Sept. 08, page 38), which addresses the risks associated with users who have separate IDs and passwords on multiple systems and applications. The following discussion and examples apply to any kind of system and pertain equally to an organization's employees and any customers who use its systems. For clarity, the examples in this article employ very brief passwords and other character strings. In actual practice, effective security requires passwords and strings much longer than those in the following illustrations.

MAINTAINING SECRECY

The system administrator is responsible for maintaining all passwords in a table and for employing due diligence to safeguard their confidentiality and, thus, enforce system security. A password table is an electronic dataset of columns and rows listing each user's ID and password (see Exhibit 1). When a user attempts to log in, the system compares the ID and password the user enters with the values in the password table. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.