Evaluation of Passwords
Document Management Increases the Need for
Chlotia P. Garrison
MAY 2008 - Electronic
data storage, although convenient, increases the opportunity for
unauthorized persons to improperly access data. Accountants often
have access to personal information that, if compromised, could
make clients and employees susceptible to identity theft, potentially
damaging their reputation and leading to legal liability.
to the Privacy Rights Clearinghouse
more than 220 million data breaches of personal information occurred
between January 10, 2005, and March 24, 2008, nearly 160 million
of which involved hacking. These breaches occurred at a variety
of organizations, from schools and financial institutions to government
agencies and even the AICPA.
management systems have some form of password security, but weak
passwords increase the probability that a hacker can gain access
to a system. The best defense is to have a strong password that
cannot be easily hacked. Many individuals are unaware of how easy
it would be for security to be compromised by a password that
a hacker could crack in a relatively short period of time.
At a CPA
continuing education technology conference, the session leader
asked the attendees of a computer security session to write down
their passwords to determine their vulnerability. Only one participant
questioned the validity of providing the password, and everyone
shared their password with someone they had never seen before.
It is a basic security measure that passwords should not be shared.
The ease with which participants revealed their passwords may
be surprising, but multiple surveys have shown that this is a
common occurrence. Biometric technology is not mature enough to
replace passwords, and many companies are unable or unwilling
to spend the money needed for automatic password systems. The
burden, therefore, often falls on the user to select strong passwords
and keep them confidential.
of the passwords received from the computer security session revealed
- Of the
35 participants, four, or 11%, had passwords with less than
participants had passwords with eight or more characters; 8.5
characters was the average password length.
- The minimum
password length was four; the maximum was 16.
1 identifies the number of participants with passwords containing
upper- and lower-case letters, symbols, numbers, or a dictionary
“breaker,” or “recovery” software is readily
available to hackers, allowing them to test thousands or even
millions of passwords per second. Some software uses only the
brute-force method, which tests every combination of letters,
numbers, and symbols. Most password-cracking software works faster
by supplementing this capability, for example with a dictionary
cracker that tests passwords against known words in various languages.
Additional software features may uncover cached passwords, analyze
routing protocols, try sequences of adjacent keys on a keyboard,
test common passwords, or use network sniffers or encryption key
the 35 passwords obtained at the CPA technology conference reveals
a need to enforce strong-password policies. Almost half (48.6%)
could be cracked in less than one week. Another 20% could be cracked
in one to four months. Only 31% of participants had passwords
that would take several years to crack using the brute- force
method. Using multiple computers and supplemental methods would
shorten the time. Exhibit
2 presents the length of time to crack the passwords in six
categories, ranging from one minute to greater than nine years.
3 shows the effects of various password characteristics on
brute-force cracking time.
passwords to be a minimum of eight characters. Passwords
of less than eight characters can easily be cracked using the
slowest brute-force method. Even with a combination of upper-
and lower-case letters, numbers, and symbols, the longest time
to crack a six-character password is roughly five hours.
not use dictionary words, acronyms, or common permutations in
any language. Dictionaries can be downloaded for
free in multiple languages, and enhanced wordlists created specifically
for use with cracking software are also available.
passwords to contain upper- and lower-case letters, numbers, and
symbols. A potential hacker would likely give up
before a password of sufficient length containing these characteristics
is cracked. Capital letters, numbers, and symbols should not just
be used at the beginning or end of a password because the software
recognizes this as a common pattern, which shortens the cracking
not use personal information. Cracking software
will try permutations of usernames. It is also easy to obtain
personal information such as a user’s address, birthdate,
or names of family members.
the number of times a person can incorrectly enter a password.
Limiting the number of authentication attempts that
can be performed in a certain timeframe prevents password-cracking
software from trying thousands of passwords per second. Systems
commonly accept three failed attempts before locking a user out
of the system.
document access. Like paper documents stored in
locking cabinets, electronic files should be restricted to allow
access only to authorized users. Sensitive information should
be compartmentalized so a person can access only the information
P. Garrison, PhD, is an assistant professor of computer
science, specializing in software engineering, at Winthrop University,
Rock Hill, S.C.