Password Attacks


Some Background.  Restrictions are placed on access for almost all networks and computers.  These are usually done through a few methods
  • username used to obscure the real identity of the person accessing the resource
    • often an email address is used
    • sometimes a completely new username is assigned or made up
  • password is almost always required
  • biometrics are seldom used but can be very helpful
    • fingerprints\
    • voice identification
    • retinal scans

In this webpage we will focus on passwords and their vulnerabilities.  There are three main types of attacks on passwords that we will cover.

  • bio based attacks
  • dictionary attacks
  • brute force

We will also talk about some ways to deter the effectiveness of these sorts of attacks.

Bio Based Attacks.  People often use biographical/personal information to identify themselves and/or create their passwords.

We aren't going to get into much depth about usernames, but these are usually based on the actual name of the user and/or email addresses are quite well known.  But these sorts of things help increase the importance of creating passwords that are tougher to determine for attackers.

Some of the classic things people use as passwords are

  • birthdays
  • friends and relatives names
  • parent's names
  • children's names
  • social security or other ID numbers
  • pet names
  • favorites

But all of these things can be relatively easy to guess for someone that gets to know much about the person whose accounts they are trying to attack.  So while these sorts of passwords are generally easier for a user to remember, they are also somewhat easily figured out by attackers.

Some Bad Password Choices.  People often use passwords that are way too obvious.  The following ever expanding list gives some illustrations.

  • secret
  • password
  • admin

Dictionary Attacks.  People often use words or combinations of words that can be found in a dictionary.  While there are a lot of words in human speech and in any particular language, they can be relatively easy to search through.  They can be even easier to determine the more they can be connected with the user.

These are generally not as easily guessed by an attacker as bio info.  But think about how fast a spell and grammar checker operates on what you have written.  This should give you some sense of how quickly an adept attacker can go through a dictionary even to form contrived compound words.

Brute Force Attacks.  While brute force attacks rely on testing every possible combination of letters, numbers and characters that can be used in a password, they still might prove effective.

Think of how many fewer combinations will need to be tried if the attacker can somehow determine the number of characters used in a password.  Almost all passwords fall between four and sixteen characters.  Obviously, it is easier to use brute force on shorter passwords.  At the same time, it is my experience that many sites limit the number and types of characters that can be used in a password which actually helps attackers at least somewhat.

Deterrence.  There are a number of things that users can do to make their passwords less attackable.

  • do not use dictionary words or words built from dictionary words
  • do not use biographical or personal information
  • make passwords longer
  • use a variety of numbers, special characters and upper and lower case letters
  • use secure shells or some other sorts of encrypted communications whenever reasonable

There are a number of things that administrators can do to make passwords less attackable

  • make sure that access to a particular account is automatically turned off after a particular number of failed attempts to login
    • notify users when this occurs and require some interactions to get things reactivated
  • store passwords in forms that cannot be read by anyone who gains access to the database
    • hashing should be used - for example
      • SHA-1 = Secure Hash Algorithm
      • MD5 = Message Digest
    • make sure the hashing algorithm obscures both the characters used and the number of characters used
    • passwords entered by users should be hashed in order to be compared to stored values that have been previously hashed

More will be added.