Application Security // Database Security
1/25/2012
11:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Database Password Storage Exposes Need For Better ID Management

DreamHost and other password breaches show weaknesses in the way passwords are stored

The recent hack against a database full of FTP passwords held by Web hosting firm DreamHost highlights a growing database breach trend that’s seeing password stores exposed by the boatload. Though these databases contain sensitive authentication information, they’re often left far less protected than databases containing PII. Experts warn that if organizations are truly serious about their security and compliance programs, they need to either find better ways to secure the passwords in the databases they’re distributed across the network, or look for alternatives that will ditch this method of storage altogether.

First brought to light last week, the DreamHost breach exposed FTP credentials of all its shared hosting accounts when hackers broke into a database that contained a legacy table storing passwords in plain text.

“This particular breached database contained customer credentials to the FTP server. This allows potential hackers to use these credentials in order to impersonate customers when accessing the FTP server,” says Noa Bar-Yosef, senior security strategist at Imperva, “the impact of which is to access customer documents, download the documents and even upload their own documents.”

According to Bar-Yosef, in addition to following ground rule No. 1 of database security — know where your data resides — DreamHost clearly failed to follow some best practices for password storage within the database.

“To secure user passwords, companies need to put in a strong password policy as well as digesting the passwords before encryption. Hackers are notorious for breaking encrypted passwords very quickly. The point here is to make their job more difficult,” she says. “This includes not only the banning of common passwords, but also banning keyboard sequences. Using passphrases instead of passwords is also a good practice since they provide the necessary length to prevent effective brute-forcing of passwords.”

Meanwhile, Bar-Yosef believes most organizations need to up their game when it comes to encrypting passwords. Simple encryption is not enough.

“Hackers employ techniques such as rainbow tables to find the original passwords,” she says. “However, salted digests -- i.e., a random value added to each password -- make the hacker’s task of breaking the passwords much more difficult.”

However, some authentication experts argue that the conversation about password storage in databases should be taken to another level beyond doling out best practices advice. They say that these breaches could be prevented by avoiding storing these passwords in unsecured, distributed databases in the first place.

“Our perspective is to get rid of the whole concept of passwords in databases from day one,” says offer Adam Bosnian, executive vice president of Cyber-Ark Software, a privileged identity management firm. “Put a secure credential management system on the front end, and all of this goes away.”

Bosnian says that developers tend to reinvent the identity management wheel every time they spit out an app, essentially hard-coding password management into their middleware and storing passwords hari kari in unsecured databases that are difficult to centrally manage and secure.

This kind of decentralization can prove dangerous for organizations, says Leonid Shtilman, CEO of Viewfinity, another privileged identity management company.

“Those accounts are actually hidden from the IT manager’s standard tracked list of administrative accounts managed by Active Directory and can be used by malware to install malicious software on local computers through the ‘local’ administrator account,” Shtilman says. “Further penetration into the IT environment is then accessible by capturing passwords, including passwords for access to critical data. It is essential that IT security and operations managers have a method for mitigating this risk.”

According to Phil Lieberman, CEO of Lieberman Software, a privileged identity management company, the tools exist to address this problem. The real issue is making anyone care enough to deploy them.

“Web applications use a stack of middleware that contains sensitive credentials as well as database credentials that are generally not proactively managed. This situation is a result of both a lack of resources and skill to manage the password change process,” says Lieberman, who explains his firm has been refining technology to automate credentials in middleware stacks for the better part of a decade. “IT admins and database administrators neither get rewarded nor penalized for the poor management of credentials, and senior management frequently has no idea what middleware is, and even fewer understand what connection strings are, as well as how they contain credentials and how these need to be managed.”

Even when an organization buys into a platform, they still may see passwords scattered with the winds if the developers aren’t on board. It’s a problem that Bosnian’s customers see even after they’ve deployed, as the developers for every department have to be retrained to use the identity management platform their business has already paid for.

“The app development teams keep putting hard-coded credentials in the system because the two sides haven’t connected yet,” he says. “They have to create a mandate from the top to say, ‘Thou shalt use the tool we already have to make sure this stuff doesn’t happen.’”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.