Passwords are the most common method of authentication used to control access to digital resources. They are also the easiest way to gain unauthorized access to these resources. Armed with password cracking software, an intruder can discover a dictionary word password, or simple variation, in a matter of seconds. When you consider how much information is protected solely by passwords, it quickly becomes clear that good passwords are vital to preserving confidentiality.
Passwords must be protected against unauthorized disclosure, modification, & removal.
There are three different types of attacks against passwords: guessing, cracking, and disclosure via social engineering.
Password Guessing:
Password guessing is just what the name suggests. It requires a valid user ID. Either manually or automatically, you start submitting what is most likely the password of a particular user. For example, if the user's account name is Kris, you, or your software, might try Kringle. You keep trying until you hit paydirt, or are locked out. In any case, complex passwords provide protection against this type of attack.
Password Cracking:
Password cracking is done using a copy of the system file that stores account passwords, presumably in encrypted form. All current operating systems store passwords in an encrypted form by running the passwords through a one way hash (encryption formula). The hash is then stored, not the clear text password. Unfortunately, encryption is no guarantee of protection as we will see. Hashes can be cracked.
There are three types of crack attacks:
Dictionary attacks: If dictionary words are allowed as passwords, they can be readily broken, even when encrypted. That's because software has been created that gives the intruder the ability to take an entire dictionary's worth of words, run it through various encryption algorithms, and compare the results with the encrypted password file. If a match is found to the password hash, the cracker works backswords to discover what the password is. Simply put, dictionary words offer no protection at all as passwords. If you are thinking of using foreign words, forget it. Even Klingon dictionaries have been hashed for use with password crackers running dictionary attacks.
Brute force attacks: A brute force attack tries every possible combination of letter, number, and punctuation value and format. A brute force attack will always succeed in cracking a password hash. However, depending on the strength of the password, the hashing formula, and the speed of the computer, it could take many years to crack some passwords. Most criminals want quick results.
Hybrid attacks: Hybrid attacks build on dictionary attacks by adding or substituting other characters or numbers for certain letters in dictionary words. Many people perform a simple substitution, or prepend or append a character to a dictionary word to create a password (e.g., J0hn123). These passwords can be cracked fairly quickly with software designed to make the same types of substitutions.
Social Engineering Attacks:
Most of us will surrender our passwords under certain circumstances. For example, someone posing as a Help Desk employee could request your password ostensibly to correct a problem with your account. Phishing email is designed to harvest valid user account names and passwords. Many times friends will ask you for a password so they can use your computer. Don't give it to them. Instead, log in for them, or, if you do provide it, change your password immediately afterwords. It's good practice to periodically change passwords, as well as use multiple passwords for different accounts. And, of course, your passwords should always be at least 8 characters and contain a mix of numbers, special characters, and upper & lower case.
Additional Information:
For more tips on making passwords, please see Good Passwords.
Reset your UAlbany Password.
