Passwords

Passwords are the primary authentication mechanism for a user to protect their valuable resource from un-authorized access hence, it’s really important to choose a strong password. Based on the characters that users choose for their passwords, the Passwords are classified into 3 types,  Strong Password  Fair Password and  Weak Password.

Strong Password: It basically depends upon the strength of the password. A password is said to be a strong password, only if it undergoes the following constraints,          A Strong Password should have more than 6 characters and the average is 8. A Strong Password should contain alphabets, numbers and special characters. A Strong Password shouldn’t be a default password. A Strong Password shouldn’t be your name, dad’s name, mom’s name, pets name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and shouldn’t be same as your username. A Strong Password shouldn’t be a dictionary word. Never use the same password for other accounts. Never store or write down your password anywhere. Never share your passwords with any one. Change your password at least once in a week.

You should use a password which comprises at least 6 characters, and should have alphabets, numbers and special characters and the vital thing is don’t use default passwords or any dictionary words as your password. Here were few of the default password list that are widely used, Default password list ABCDEF abc123 654321 qwerty NULL Administrator ADMINISTRATOR 123123 143143 420420 1

admin ADMIN Admin pass Pass password Password PASSWORD 123456 abcdef

test lab username backup mypass Sample default computer access permit

Here is a simple example for how to choose a strong password, Password Cyb3rP4$$ 3m41lpa55 B4nk1ngP4$5 Meaning ( How to remember ) CyberPass (Internet password) emailpass (E-mail Password) bankingpass (Banking password)

If you see the passwords given above, each password contains more than 6 characters, contains alphabets, numbers and special characters, not a dictionary word, also is easy to remember but makes the attacker bit hard to get your password until your password undergo all the constraints stated above. Even strong passwords are vulnerable to some kind of attacks performed by an hacker but that too depends upon the technique that the hackers use to compromise the password authentication, and we will see the passwords threats later. If you want to construct your password stronger, then you can use the ‘pass phrasing’ technique to make your password bit complex. Pass phrasing : Pass phrasing is nothing but a technique where you can use a first letter of phrase as your password. Example : Here is a clear example for pass phrasing. Here is the phrase that I want to use for my yahoo email password, “My Password for yahoo E-Mail account”

For making the pass Phrased password, bit complex, you can include some number and special characters. In the above example instead of for, I used the number 4 ( for - 4 ), and instead of E, I used 3 ( E – 3 ) , which looks similar and also is easy to remember. These are the ways that you can use to construct a strong password.

2

Fair Password : Fair passwords are the passwords which is easy to compromise and this too is classified depends upon the strength.  A Fair password would mostly be dictionary words, which are easy to guess.  A Fair password will match the default password list at some cases.  A Fair password shouldn’t be more than 8 characters at most conditions.  A Fair password sometimes will be your name, dad’s name, mom’s name, pets name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and same as your username. The fair passwords are somehow vulnerable to password guessing attacks, since they mostly use dictionary words. Examples : Nature Password Myaccount Sam123 20sep1988

Weak Password : Weak Passwords are much easy to compromise which often matches with the default password list.  A weak password will often match with the default password list.  Mostly will be a dictionary word.  Sometimes will be the same as the username. Examples: 123456 Abcdef Qwerty Password Abc123

3

Password Threats : Since passwords are the primary authentication mechanism, there were lot of techniques used to compromise the passwords, and the various password threats are given below,  Shoulder surfing  Password Guessing attack  Social engineering  Phone Phreaking  Phishing  Eavesdropping  Dumpsters diving  Key logging  Brute forcing  Password cracking tools. Shoulder surfing is a technique of getting your password by sneaking at the time when you are attempting to type your password. To avoid these sorts of simple attacks, check whether some one is watching your keyboard while you are trying to type your password, and at last try to type your password bit faster, whatever the password you use, always the recommended one the strong password. Password guessing is an attack where the attacker tries to input your password by guessing your password, most probably the attacker tries the password as victims name, victims dad’s name, victims mom’s name, victims pets name, victims Boy/Girl friend name, victims phone number, victims Boy/Girl friends Phone number, victims DOB, victims vehicle number, victims nick name, victims username and also some passwords which matches the default password list. If the attacker is successful in guessing the password by trying all the above given list, then there is no need for him to go further to compromise the password authentication, then he will easily misuse or launch an attack from here, else there is a need for him to proceed further to perform the rest of the techniques to compromise the password. If the victim uses any of the password which matches the above case then, he will be into problem, hence that why it is always recommended to use a strong password.

Social Engineering technique is an art of deception which involves getting close to the victim and getting their password from themselves. It is an art of making them, believe in you and making a trap for them to fell as a victim for you. Social Engineering also involves Phone phreaking, gaining illegal access to someone’s phone or changing the callers ID or number to make the victim fall as a prey for social engineers. Kevin Mitnick is well known for social engineering, and for more details on social engineering and phone phreaking, read the book “The Art of Deception by Kevin Mitnick”.

4

Here are few message by Mitnick on social engineering and phone phreaking,  Don't give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.  It's human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their goals.  The sting technique of building trust is one of the most effective social engineering tactics. You have to think whether you really know the person you're talking to. In some rare instances, the person might not be who he claims to be. Accordingly, we all have to learn to observe, think, and question authority.  Before new employees are allowed access to any company computer systems, they must be trained to follow good security practices, especially policies about never disclosing their passwords.  Don't rely on network safeguards and firewalls to protect your information. Look to your most vulnerable spot. You'll usually find that vulnerability lies in your people.  Train your people not to judge a book solely by its cover--just because someone is well-dressed and well-groomed he shouldn't be any more believable.  When the computer intruder cannot gain physical access to a computer system or network himself, he will try to manipulate another person to do it for him. In cases where physical access is necessary for the plan, using the victim as a proxy is even better than doing it himself, because the attacker assumes much less risk of detection and apprehension.

5

Here is an example conversation, which is used to get the passwords in an organization, First the attacker, compromised the phone lines, and other IP Phones based extensions in an organization, then he made a call to the security dept analyst, here are the conversation made by the social engineer and the security analyst, Security Analyst : Hello! Attacker : Hi this is John, from the development team, am I speaking to a person from security Dept. Security Analyst : Yes, you are! I am Jenny security analyst Attacker : Hi Jenny, actually we have developed a new application which is only meant for the Trainees and the Admin’s, who were hired in the previous month, and for this we need their NT usernames and passwords of those who were appointed in the previous month, to merge the application with a new set of DB, so will you please send those information’s to us. Security Analyst : Yes, sure! Whats you extension? Attacker : Its 80586. You can send those information to developerteam@corporatemail.com Security Analyst : Sure, but I need around an hour to do that. Attacker : That’s not an issue jenny, but make sure you send it today. Have a great day. Bye! Security Analyst : You too. Bye!

Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. Its usual for us that, if we consider something unwanted or unlikely we used to through it in a bin, its not much important to us but it’s a treasure for our enemy who always keeps an eye on us. For example if a security admin, tries to change the topology and the networking structure of an organization, and he got a print out of that diagrammatic representation of the network and hopefully the printout is not looking good and has some black dots on it, hence he tries to get a new copy of it and throws the first copy in the bin, so what happens here is if an attacker who tries to compromise the security of that organization gets that piece of paper, its really a valuable information for him to play with the security mechanism in that organizations. So it’s really important to destroy all those wastes before going out, or getting into some ones hand.

6

Phishing is a way of creating a bogus website which exactly looks like a trusted website, in order to steal your usernames and passwords. Here is an example of a phishing website which exactly resembles like Google mail.

If you clearly notice the URL of the website, instead of www.google.com/accounts, the URL is displayed as www.gogoogle.com/accounts/service? This in turn is a phishing website, which is designed exactly like gmail to steal your gmail username and password. Once you attempt to login using your valid username and password, these credentials will be stored in the attackers DB to launch an attack. The important thing that you have to notice before giving any inputs in any websites is the URL of the website, it’s highly recommended to check whether you are into the right website. Also if you are browsing through any banking websites or any SSL enabled website, you are advised to check to the SSL lock on the right end corner of the browser. “To err is human” as per this, as we normal human beings, its sometimes possible for us to type the URL of any websites incorrectly, for example, instead of www.citibank.com, we might type www.citbank.com, which again will make the browser to open the phishing website if any site is registered by an attacker under that domain.

7

Eavesdropping is nothing but searching for the credentials by using the resource the attacker has. If an employee in an organization is given a set of username and password for his own authentication, and he do have some limited access to that organization resources. So using that limited access it is possible for him to browse through some other networked boxes in his organization, and by luck if the administrator is not much concerned about the network and its credentials, then it makes the attacker bit easier to gain access to those credentials and will launch an attack later. It is not recommended to store your passwords on your computer or PDS or any digital media’s or any where else. Even I found lot of users doing it, by saving their passwords in a E-mail or a notepad file, so it really catches the attackers eye, to first compromise their email, which then will make him much easier to compromise the rest of the resources. Few of them uses their password as their password hint, which reveals the password on the same screen, where we login. Key loggers are some sort of malicious software’s which is installed on the victim’s computer to steal the usernames and passwords in that computer or in a network. Key loggers actually captures all the key strokes made on a computer since from the booting into the OS until the user logs off or shutdowns his computer. There are also some commercial key loggers which will mail you the key strokes once it reaches the specified file size. It really doesn’t matter what ever the password you use, but once if the key logger is installed on your computer, then hopefully the attacker own your box. Most of the key loggers will be detected by the anti-virus, but there is an exception for custom made key logger and some commercial key loggers. Its highly important to keep your anti-virus up to date. Brute forcing is a technique carried out by a hacker to compromise the user authentication. In order to launch a brute force attack, the attacker need to install some brute forcing software’s on his computer. Brutus is one of the nice brute forcing utility which can be freely downloaded from the internet. The brute forcing software will try all the combinations of keys found in the keyboard until it finds the right password. The delay will always depend upon the password strength. If the victim uses a weak password, then it will be very easy to crack the password, and if it too strong then it will take around days, weeks and even months to crack the password, but any how it will reveal the password. Also dictionary based attacks are much easier to crack a password which is a dictionary word. Hence it’s highly recommended to use a password policy, also to change the password at least once in a week. In the password policy it is necessary to lock the account if anyone attempts to logging in with invalid credentials for more than three times. If you are using a web based authentication system, its highly recommended to use CAPTCHA’S which cant be read by bots. So brute forcing comes to an end.

8

Password cracking tools : There are hell a lot of freely downloadable password cracking tools available in the internet. Passwords are not only for OS, but also is for various applications like PDF documents, word documents, compressed folders, Internet, zipped files and so on. Applications Windows Adobe PDF MS Office Web passwords Zip files Password crackers L0phtcrack, john the ripper Advanced PDF password recovery Office key WebBrute Advanced zip password recovery

Here is a tool called Snadboy’s revelation, which is used to reveal a password, when it gets filled in the password field. When you drag the ‘Circled +’ cursor over the password field, when it contains a password, it will reveal the password in a clear text instead of dots or asterisk.

9

Sniffing : Passwords were also vulnerable to Sniffing attacks. If you are using a remote password or if your password travels in a network, it is vulnerable to sniffing attacks. It doesn’t matter what ever the medium it is transferred, it might be a wired medium or wireless medium still its vulnerable to sniffing attacks. Anyone can sniff any packets if he/she uses a packet sniffer in a network where the victim’s datagram travels. Sniffing is nothing but capturing the packets which pass through their network hence, it is always recommended to encrypt the data before sending it, by using any encryption services available. There were mushrooms of Sniffing tools available which can be freely downloaded from the internet. Ethereal is one of the well known sniffer used by attackers.

In the above given example, “Secret” is the data that needs to be encrypted, which in term is a plain text, after which the plain text in converted into “Cipher text” by encrypting the it using a key. “Cipher text” is nothing but the encrypted data, which usually is in unreadable form or unrecognized form. At the receiving end, the receiver uses the same key to decrypt the data to get the plain text. But in asymmetric encryption, the key which is used to encrypt the data differs from the key which is used to decrypt the data, which in term is called as ‘Private Key’ and ‘Public Key’ respectively. In Symmetric encryption, both the encryption and decryption is done using the same key, hence Key management is a big issue in Symmetric Encryption. Where as in Asymmetric Encryption, ‘Private key’ is used for encryption and ‘Public Key’ is used for decryption.

10

For web services, it is recommended to use the SSL – 128 bit encryption, which is a standard encryption. For database Administrators, it is recommended to encrypt sensitive data even if the data is stored in the database. Even if you encrypt the sensitive data, it doesn’t take much time for an attacker to decrypt it and wrap out the clear text if you use a weak algorithm or a weak key. It’s much important to choose a strong encryption algorithm, and a strong key to encrypt the data, if either one of them is not strong, then the secret will be revealed. “Secrets will not be secret for ever” - This is the phrase that you have to remember in the terms of security in application development and crypto. There are some application developers who set a default username and password with root access while developing a application, hence it will not be a secret for ever, because hackers really do have a lot more time to crack the password, this applies in crypto too. unless you use a strong algorithm and strong key to encrypt the data, the cipher text will be revealed one day.

These were all about the password and its threats. Kindly use all sort of techniques mentioned above to prevent against password compromising.

- Cybercrawler

11

Sign up to vote on this title
UsefulNot useful