Weak Passwords Attacks..

pw-crack

Password is a secret word or more technically defined a string of characters used to authenticate, gain access to resources or prove identity. It must be kept in secret from others who are not allowed to access those resources. In most cases passwords are used in common with usernames.

Passwords have been used with computers since the earliest days of computing. One of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. After typing “PASSWORD”, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.

The strength of a password is a function of length, complexity, and unpredictability. It measures the effectiveness in resisting guessing it.
Weak passwords shorten the time necessary to guess it and gain access to personal/corporate e-mails, sensitive data like financial info, credit cards, business info etc.

Examples of weak passwords:

  • Dictionary words: sky, grass, hummer etc.
  • Double words: skysky, grassgrass etc.
  • Unchanged default password of a device
  • Words with simple obfuscation : p@ssword, password1
  • Well known sequence: 123456, qwerty123, 123password

There are many other ways a password can be weak corresponding to the strengths of various attack schemes.

Attacks against passwords are classified according to the way they are implemented.

Passive online attack

In passive online attacks an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim or victim account. Types of passive online attacks are:

  • Wire sniffing
  • Man in the middle

Active online attack

This type of attack is termed as password guessing. An attacker tries number of passwords one by one using either a manual or automated approach against victim to guess his/her password. Password guessing isn’t always as difficult because practice shows that most people uses common simple words as passwords.

Offline attack

Offline password attacks are performed from a location other than the actual computer where the password reside or were used. Offline attacks requires access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. The following types of offline attack are used:

  • Brute force attack
  • Dictionary attack

Non-technical attacks

These attacks does not require any technical knowledge and includes the following approaches:

  • Shoulder surfing
  • Keyboard sniffing
  • Social engineering

zip-password-found

Mitigation

Most important rule to avoid weak passwords in organizations is implementing password policies and strictly following them without exceptions.

Password polices include:

  • Minimum length of password characters – at least 8.
  • Password must include special character, lower and upped cases, numbers.
  • Number of wrong attempts after which the account is locked for a reasonable time.
  • Changing passwords over defined time.
  • History of used passwords.
  • Using strong encrypting algorithms.
  • Educate staff members regarding these attack.

Source: telelink.com, google.com

Recommended Posts

Leave a Comment

one × two =