Passwords can be defined as the string of characters that are utilized for verifying the identity of any specific user during the process of authentication (Li et al., 2013). There are various types of password security attacks in today’s cyber world and these are extremely vulnerable for the user (Chen, Kuo & Wuu, 2014). The most popular password attacks are brute force, reverse brute force, dictionary attack, keylogger attack, social engineering attackS, offline cracking of password, resetting of the password and many more.
The following term paper outlines a brief discussion on the attacking and protecting of passwords. The various types of password attacks are well defined here with proper description. Moreover, the countermeasures of all these password attacks will also be given in this term paper. The prevention of the passwords with cracking attacks will be described here. The final part of the part discusses about the authentication methods, used for preserving all these passwords.
Definition of Passwords
A password can be defined as the string of characters that are used for the authentication of a user on any computer system. Most of the passwords consist of several characters that include numbers, letters, symbols and special characters (Li, 2013). Passwords usually do not consist of any space. It is generally a unique combination of numbers and letters and never contains actual words. When a user logs into an account, either social media or bank account, he or she provides his or her username and password. Usernames are usually public information, whereas passwords are absolutely private to every user.
Types of Password Attacks
There are various types of password attacks. They are as follows:
- i) Brute-Force Attacks: This brute-force attackcan be defined as the trial and error method that is used for obtaining data like passwords or PIN (Jiang et al., 2015).
- ii) Reverse Brute-Force Attacks: In any reverse brute-force attack, a particular similar password is being examined against several encrypted files or usernames.
iii) Dictionary Attacks: The dictionary attacks are the brute-force attacks that are used for determining the decryption key by simply trying hundreds of similar possibilities.
- iv) Key Logger Attack: Key logger attacks occur when any user attempts to search a specific query from his system (Franchi, Poggi & Tomaiuolo, 2015). The hacker records or monitors his activity.
- v) Social Engineering Attack: Social engineering attacks occur in few steps like perpetrator investigating background information, then moving to obtain trust and finally providing stimuli for various actions.
- vi) Offline Cracking of Password: Offline passwordcrackingcan be defined as the procedure to recover passwords from data, which is being stored or even transmitted by any computer system.
vii) Resetting of Password: Resetting of passwords is done, when someone has used a password for a longer period of time or has forgotten the password (Dua et al., 2013). The entire password is changed with proper security measures. However, while resetting the password, attacks can occur by spammers or hackers.
Countermeasures or Prevention of Passwords with Cracking Attacks
- i) Brute Force Attack: The simplest method to block or prevent the bruteforce attackis by locking out the accounts after a specific number of wrong password is being attempted.
- ii) Reverse Brute-Force Attacks: Reverse brute-force attacks could be prevented by the obfuscating of data that is encoded for making it extremely tough for any attacker to identify when this code is being cracked or even by making that attacker do extra work for testing every guess (Silver et al., 2014).
iii) Dictionary Attack: The most effective counter measure against the dictionary attacks is Delayed Response. The somewhat delayed response from any particular server can easily prevent any hacker and spammer from checking the several passwords in a short span of time. Hence, dictionary attack is prevented.
- iv) Key Logger Attack: Key logger attacks can be easily eradicated with the help of password encryption. Programs on kernel can also remove these types of attacks (Lee, Liu & Hwang, 2013). These programs easily make the password safe from the key logger attacks and hence the passwords are safe.
- v) Social Engineering Attack: The most efficient countermeasure for the social engineering is by employee awareness training. The various countermeasures mainly include training the employees, verifying information contained in the electronic mails and even defining the values for the information types like the user names, network addresses, dial in numbers, passwords and many more.
- vi) Offline Cracking of Password: The countermeasure for offline cracking of passwords is in two stages, which are password design stage and after the generation of password. Within the password design stage, the users should be well educated regarding the importance of passwords and should be trained, how this password can be generated (Garman, Paterson & Van der Merwe, 2015). After the user is educated, he or she can generate the password and for this purpose, reactive password checking is required. Password encryption is yet another countermeasure.
vii) Resetting of Password: The best prevention method or countermeasure of resetting of password is password encryption. This particular method helps to keep the password in an encrypted format, so that it is not easily cracked by any specific user. When the password is rest, it is automatically authenticated and protected from any type of attack.
Authentication Methods Used for Preserving Passwords
There are some of the most important and significant authentication methods that are used for preserving passwords. They are as follows:
- i) Authentication by Operating System: This is the first and the foremost method of authentication for preserving the passwords (Khan, 2013). Oracle permits to use information, they are maintaining for authenticating the users. When authentication is done by OS, the users could easily connect to the server, without even specifying passwords and usernames.
- ii) Authentication by Network: The second type of authentication method is authentication by network. This is done by the third party services or by the SSL protocols. The secure socket layer protocol is the application layer protocol and hence could be utilized for user authentication to the database (Silver et al., 2014). Regarding third party services, the most popular examples are PKI or Public Key Infrastructure and Kerberos.
iii) Authentication by Database: Databases can authenticate the users in attempting to connect to the databases with the help of utilizing information that is being stored within the database. For using the database authentication, the user should create an account with the associated password and then after successfully providing username and password, a connection is established (Dua et al., 2013). The user passwords are stored within a data dictionary in the encrypted format.
Therefore, from the above discussion, it can be concluded that passwords are the most basic security mechanisms, which comprise of the secret pass phrases that are created with the help of alphabetic, alphanumeric, symbolic characters, numeric or the combination of any two. These passwords are used for the conjunction of usernames and so that the users can easily gain access to the devices. However, in spite of having several advantages, these passwords could be hacked by attackers or hackers with the motive of wrong deeds. The above term paper has outlined a brief discussion on the passwords and various types of password attacks. Relevant details are provided regarding the types of password attacks. Several countermeasures of all these above mentioned password attacks are also provided here. The prevention or password with the cracking attacks are also given here. The prevention method that is used for the brute force cracking method and the prevention method, used for key logger attack are well defined in this term paper. The authentication methods that are utilized for the preserving of passwords are also given here.
Chen, B. L., Kuo, W. C., & Wuu, L. C. (2014). Robust smart?card?based remote user password authentication scheme. International Journal of Communication Systems, 27(2), 377-389.
Dua, G., Gautam, N., Sharma, D., & Arora, A. (2013). Replay attack prevention in Kerberos authentication protocol using triple password. arXiv preprint arXiv:1304.3550.
Franchi, E., Poggi, A., & Tomaiuolo, M. (2015). Information and password attacks on social networks: An argument for cryptography. Journal of Information Technology Research (JITR), 8(1), 25-42.
Garman, C., Paterson, K. G., & Van der Merwe, T. (2015, August). Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS. In USENIX Security Symposium (pp. 113-128).
Jiang, Q., Ma, J., Li, G., & Li, X. (2015). Improvement of robust smart?card?based password authentication scheme. International Journal of Communication Systems, 28(2), 383-393.
Khan, A. A. (2013). Preventing phishing attacks using one time password and user machine identification. arXiv preprint arXiv:1305.2704.
Lee, C. C., Liu, C. H., & Hwang, M. S. (2013). Guessing Attacks on Strong-Password Authentication Protocol. IJ Network Security, 15(1), 64-67.
Li, C. T. (2013). A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. IET Information Security, 7(1), 3-10.
Li, X., Niu, J., Khan, M. K., & Liao, J. (2013). An enhanced smart card based remote user password authentication scheme. Journal of Network and Computer Applications, 36(5), 1365-1371.
Silver, D., Jana, S., Boneh, D., Chen, E. Y., & Jackson, C. (2014, August). Password Managers: Attacks and Defenses. In USENIX Security Symposium (pp. 449-464).