Password-Based Attacks

Commonly used password crackers include the following:

A good password system locks the account after a limited number of tries to thwart this type of attack. The successful hacker has the same access to resources as the users whose accounts they compromised to gain access to those resources.

General password security lapses can put a password in the hands of an intruder. This can be something as simple as passwords written on a desk pad, an appointment calendar, or an address book, to gaining access to a person’s home or laptop computer where the logon password is being remembered by the OS. More than one company’s security has been compromised by a child accessing the system from home or a friend’s house using a password appropriated from a parent.

One-time passwords (OTP) systems and/or cryptographic authentication can almost eliminate the threat of password attacks. OTPs involve using “something you have,” such as password-token generator software on your computer, plus something “you know,” such as a PIN number. The token software uses the PIN to generate what appears as a unique password. Once the token is used, it won’t work again, thwarting the intruder with a sniffer product.

If standard passwords must be used, strong passwords—those that would be difficult to guess—can help. Strong passwords should be at least eight characters long and contain both uppercase and lowercase letters, numbers, and special characters (such as 23!!pandA). While randomly generated passwords might be the best, they’re hard to remember and often lead users to write them down.