Password is a secret word or more technically defined a string of characters used to authenticate, gain access to resources or prove identity. It must be kept in secret from others who are not allowed to access those resources. In most cases passwords are used in common with usernames.
Passwords have been used with computers since the earliest days of computing. One of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. After typing “PASSWORD”, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.
The strength of a password is a function of length, complexity, and unpredictability. It measures the effectiveness in resisting guessing it.
Weak passwords shorten the time necessary to guess it and gain access to personal/corporate e-mails, sensitive data like financial info, credit cards, business info etc.
Examples of weak passwords:
- Dictionary words: sky, grass, hummer etc.
- Double words: skysky, grassgrass etc.
- Unchanged default password of a device
- Words with simple obfuscation : p@ssword, password1
- Well known sequence: 123456, qwerty123, 123password
There are many other ways a password can be weak corresponding to the strengths of various attack schemes.
Attacks against passwords are classified according to the way they are implemented.
Passive online attack
In passive online attacks an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim or victim account. Types of passive online attacks are:
- Wire sniffing
- Man in the middle
Active online attack
This type of attack is termed as password guessing. An attacker tries number of passwords one by one using either a manual or automated approach against victim to guess his/her password. Password guessing isn’t always as difficult because practice shows that most people uses common simple words as passwords.
Offline password attacks are performed from a location other than the actual computer where the password reside or were used. Offline attacks requires access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. The following types of offline attack are used:
- Brute force attack
- Dictionary attack
These attacks does not require any technical knowledge and includes the following approaches:
- Shoulder surfing
- Keyboard sniffing
- Social engineering
Most important rule to avoid weak passwords in organizations is implementing password policies and strictly following them without exceptions.
Password polices include:
- Minimum length of password characters – at least 8.
- Password must include special character, lower and upped cases, numbers.
- Number of wrong attempts after which the account is locked for a reasonable time.
- Changing passwords over defined time.
- History of used passwords.
- Using strong encrypting algorithms.
- Educate staff members regarding these attack.
Source: telelink.com, google.com