Passwords - Common Attacks and Possible Solutions
by Dancho Danchev - Monday, 15 November 2004.
- Unintentionally shared

A user might share his/her accounting data without even realizing that by exposing it the risk of a potential break-in increases. A password is usually shared with friends, bosses, and family under different circumstances. A "benefit" considered by some users is the convenience for two persons or more, to know certain accounting data in order to gain access to a certain resource. Passwords might also be shared in an informal talk with coworkers discussing the latest company's password policy, or the way they choose their passwords, how they maintain them and in some cases how the management will never find out about their thought to be secret ways of storing the accounting data. One of the most critical and easy to conduct ways of obtaining sensitive data is simply to ask for it, both in a direct or an indirect way, which is what social engineering, is all about.

- Cracked

Sometimes in case of a partial break-in, the encrypted password file of a company might be exposed to a malicious attacker. If it happens, the attacker will start password cracking the file, namely trying all the possible combinations with the idea to find the weakest passwords and gain privileges later on. In case the company is aware that its passwords' file has been compromised, it should immediately notify all employees to change their passwords, so even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if the company is not aware of its password file exposure, it should constantly try to crack its password file just like an attacker would do and filter out the weakest passwords.

- Sniffed

Are you aware how many employees are accessing sensitive data through their already breached computer or their friend's one? Having strong password doesn't guarantee its integrity when it's not securely transmitted over the Internet. Don't give your employees the ability to choose between plain text or SSL authentication; instead, enforce all network communications in encrypted mode. Another highly recommended option would be to provide everyone with "last login from...” feature, so that in case they notice an unauthorized login, they would report it right away.

- Guessed

A large number of users are tricking the established password policies by somehow creating a believed to be strong, while weak or common sense password. Although nowadays this method is rarely used compared to the ones we've already discussed above, it should be kept in mind that certain users are still choosing passwords based on objects or brands around their desk.

The most common password maintenance mistakes

- Auto fill feature

The majority of applications will allow you to remember your passwords and accounting data, but unless you're sure that the computer is reasonably protected from possible physical security breaches, you're strongly advised not to have your passwords remembered in this way. Make sure this option is not used at public access places like net cafés' etc.

- "Post it" notes

Passwords are often written down and even worse, posted next to the monitor or around the desk. This could easily be observed by malicious attackers or insiders, so avoid it.

- "The secret place"

A lot of people believe they have found the secret place under the keyboard or anywhere around the desk, which is very unacceptable considered the fact that if observed enough, they would reveal their believed to be secret place, get distracted and have their accounting data leaked out. Even so, a large number of people keep certain accounting data on papers, PDAs, etc., so a possible strategy until they remember their accounting data and get rid of the note they keep with them all the time would be the following; have at lest 6/7 different and fake passwords around the real one, you might even cross a couple of them, even the actual one. This would be very beneficial keeping in mind that hopefully two/three false logins will lock the account, and in case your note gets exposed, it would be still a matter of luck for the attacker to use the right one. Although this method provides no guarantees, and is not recommended at all, it is a very short solution to remember your password and get rid of your note right away!


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th