All About Passwords (cracking , countermeasures)

Password hacking is one of the easiest and most common ways hackers
obtain unauthorized computer or network access. Although strong passwords
that are difficult to crack (or guess) are easy to create and maintain,
users often neglect this. Therefore, passwords are one of the weakest links in
the information-security chain. Passwords rely on secrecy. After a password
is compromised, its original owner isn’t the only person who can access the
system with it. That’s when bad things start happening.

Hackers have many ways to obtain passwords. They can glean passwords
simply by asking for them or by looking over the shoulders of users as they
type them in. Hackers can also obtain passwords from local computers by
using password-cracking software. To obtain passwords from across a network,
hackers can use remote cracking utilities or network analyzers.

Password Vulnerabilities

Here are the two general classifications of password vulnerabilities:

Organizational or end-user vulnerabilities: This includes lack of password
awareness on the part of end users and the lack of password policies
that are enforced within the organization.

Technical vulnerabilities: This includes weak encryption methods and
insecure storage of passwords on computer systems.

Organizational password vulnerabilities

It’s human nature to want convenience. This makes passwords one of the easiest
barriers for an attacker to overcome. Almost 3 trillion (yes, trillion with a
t and 12 zeros) eight-character password combinations are possible by using
the 26 letters of the alphabet and the numerals 0 through 9. However, most
people prefer to create passwords that are easy to remember. Users like to
use such passwords as “password,” their login name, or a pet’s name.
Unless users are educated and reminded about using strong passwords, their
passwords usually are

Weak and easy to guess.

Seldom changed.

Reused for many security points. When bad guys crack a password, they
try to access other systems with the same password and user name.

Written down in nonsecure places. The more complex a password is, the
more difficult it is to crack. However, when users create more complex
passwords, they’re more likely to write them down. Hackers can find
these passwords and use them against you.

• How to choose good password .

Technical password vulnerabilities

You can often find these serious technical vulnerabilities after exploiting
organizational password vulnerabilities:

Weak password-encryption schemes. Hackers can break weak password
storage mechanisms by using cracking methods that I outline in this
chapter. Many vendors and developers believe that passwords are safe
from hackers if they don’t publish the source code for their encryption
algorithms. Wrong! A persistent, patient hacker can usually crack this
security by obscurity fairly quickly. After the code is cracked, it is soon
distributed across the Internet and becomes public knowledge.
Password-cracking utilities take advantage of weak password encryption.
These utilities do the grunt work and can crack any password, given
enough time and computing power.

Software that stores passwords in memory and easily accessed databases.

End-user applications that display passwords on the screen while typing.

The ICAT Metabase (an index of computer vulnerabilities) currently identifies
over 460 technical password vulnerabilities, 230 of which are labeled as highseverity.
You can search for some of these issues at icat.nist.gov/icat.
cfm to find out how vulnerable some of your systems are from a technical
perspective.

For more about cracking password click next page.

Next page ---->