Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

1/25/2012
11:05 PM
50%
50%

Database Password Storage Exposes Need For Better ID Management

DreamHost and other password breaches show weaknesses in the way passwords are stored

The recent hack against a database full of FTP passwords held by Web hosting firm DreamHost highlights a growing database breach trend that’s seeing password stores exposed by the boatload. Though these databases contain sensitive authentication information, they’re often left far less protected than databases containing PII. Experts warn that if organizations are truly serious about their security and compliance programs, they need to either find better ways to secure the passwords in the databases they’re distributed across the network, or look for alternatives that will ditch this method of storage altogether.

First brought to light last week, the DreamHost breach exposed FTP credentials of all its shared hosting accounts when hackers broke into a database that contained a legacy table storing passwords in plain text.

“This particular breached database contained customer credentials to the FTP server. This allows potential hackers to use these credentials in order to impersonate customers when accessing the FTP server,” says Noa Bar-Yosef, senior security strategist at Imperva, “the impact of which is to access customer documents, download the documents and even upload their own documents.”

According to Bar-Yosef, in addition to following ground rule No. 1 of database security — know where your data resides — DreamHost clearly failed to follow some best practices for password storage within the database.

“To secure user passwords, companies need to put in a strong password policy as well as digesting the passwords before encryption. Hackers are notorious for breaking encrypted passwords very quickly. The point here is to make their job more difficult,” she says. “This includes not only the banning of common passwords, but also banning keyboard sequences. Using passphrases instead of passwords is also a good practice since they provide the necessary length to prevent effective brute-forcing of passwords.”

Meanwhile, Bar-Yosef believes most organizations need to up their game when it comes to encrypting passwords. Simple encryption is not enough.

“Hackers employ techniques such as rainbow tables to find the original passwords,” she says. “However, salted digests -- i.e., a random value added to each password -- make the hacker’s task of breaking the passwords much more difficult.”

However, some authentication experts argue that the conversation about password storage in databases should be taken to another level beyond doling out best practices advice. They say that these breaches could be prevented by avoiding storing these passwords in unsecured, distributed databases in the first place.

“Our perspective is to get rid of the whole concept of passwords in databases from day one,” says offer Adam Bosnian, executive vice president of Cyber-Ark Software, a privileged identity management firm. “Put a secure credential management system on the front end, and all of this goes away.”

Bosnian says that developers tend to reinvent the identity management wheel every time they spit out an app, essentially hard-coding password management into their middleware and storing passwords hari kari in unsecured databases that are difficult to centrally manage and secure.

This kind of decentralization can prove dangerous for organizations, says Leonid Shtilman, CEO of Viewfinity, another privileged identity management company.

“Those accounts are actually hidden from the IT manager’s standard tracked list of administrative accounts managed by Active Directory and can be used by malware to install malicious software on local computers through the ‘local’ administrator account,” Shtilman says. “Further penetration into the IT environment is then accessible by capturing passwords, including passwords for access to critical data. It is essential that IT security and operations managers have a method for mitigating this risk.”

According to Phil Lieberman, CEO of Lieberman Software, a privileged identity management company, the tools exist to address this problem. The real issue is making anyone care enough to deploy them.

“Web applications use a stack of middleware that contains sensitive credentials as well as database credentials that are generally not proactively managed. This situation is a result of both a lack of resources and skill to manage the password change process,” says Lieberman, who explains his firm has been refining technology to automate credentials in middleware stacks for the better part of a decade. “IT admins and database administrators neither get rewarded nor penalized for the poor management of credentials, and senior management frequently has no idea what middleware is, and even fewer understand what connection strings are, as well as how they contain credentials and how these need to be managed.”

Even when an organization buys into a platform, they still may see passwords scattered with the winds if the developers aren’t on board. It’s a problem that Bosnian’s customers see even after they’ve deployed, as the developers for every department have to be retrained to use the identity management platform their business has already paid for.

“The app development teams keep putting hard-coded credentials in the system because the two sides haven’t connected yet,” he says. “They have to create a mandate from the top to say, ‘Thou shalt use the tool we already have to make sure this stuff doesn’t happen.’”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.