Passwords - Complete Reference

8/14/2019 Passwords - Complete Reference

1/11

1

Passwords

Passwords are the primary authentication mechanism for a user to protect their valuableresource from un-authorized access hence, its really important to choose a strong

password. Based on the characters that users choose for their passwords, the Passwordsare classified into 3 types,

Strong Password

Fair Password and

Weak Password.

Strong Password:

It basically depends upon the strength of the password. A password is said to be a

strong password, only if it undergoes the following constraints,

A Strong Password should have more than 6 characters and the average is 8. A Strong Password should contain alphabets, numbers and special characters. A Strong Password shouldnt be a default password. A Strong Password shouldnt be your name, dads name, moms name, pets

name, your Boy/Girl friend name, your phone number, your DOB, vehiclenumber, nick name and shouldnt be same as your username.

A Strong Password shouldnt be a dictionary word. Never use the same password for other accounts. Never store or write down your password anywhere.

Never share your passwords with any one. Change your password at least once in a week.

You should use a password which comprises at least 6 characters, and should havealphabets, numbers and special characters and the vital thing is dont use defaultpasswords or any dictionary words as your password. Here were few of the defaultpassword list that are widely used,

Default password list

admin ABCDEF test

ADMIN abc123 lab

Admin 654321 usernamepass qwerty backup

Pass NULL mypass

password Administrator Sample

Password ADMINISTRATOR default

PASSWORD 123123 computer

123456 143143 access

abcdef 420420 permit


2/11

2

Here is a simple example for how to choose a strong password,

Password Meaning ( How to remember )

Cyb3rP4$$ CyberPass (Internet password)

3m41lpa55 emailpass (E-mail Password)

B4nk1ngP4$5 bankingpass (Banking password)

If you see the passwords given above, each password contains more than 6characters, contains alphabets, numbers and special characters, not a dictionary word,also is easy to remember but makes the attacker bit hard to get your password until yourpassword undergo all the constraints stated above. Even strong passwords are vulnerableto some kind of attacks performed by an hacker but that too depends upon the techniquethat the hackers use to compromise the password authentication, and we will see thepasswords threats later.

If you want to construct your password stronger, then you can use the pass phrasing

technique to make your password bit complex.

Pass phrasing :

Pass phrasing is nothing but a technique where you can use a first letter of phrase as yourpassword.

Example :Here is a clear example for pass phrasing.

Here is the phrase that I want to use for my yahoo email password,

My Password for yahoo E-Mail account

For making the pass Phrased password, bit complex, you can include some number andspecial characters.

In the above example instead of for, I used the number 4 ( for - 4 ), and instead of E, Iused 3 ( E 3 ) , which looks similar and also is easy to remember.These are the ways that you can use to construct a strong password.


3/11

3

Fair Password :

Fair passwords are the passwords which is easy to compromise and this too is classifieddepends upon the strength. A Fair password would mostly be dictionary words, which are easy to guess.

A Fair password will match the default password list at some cases. A Fair password shouldnt be more than 8 characters at most conditions. A Fair password sometimes will be your name, dads name, moms name, pets

name, your Boy/Girl friend name, your phone number, your DOB, vehiclenumber, nick name and same as your username.

The fair passwords are somehow vulnerable to password guessing attacks, since theymostly use dictionary words.

Examples :NaturePassword

MyaccountSam12320sep1988

Weak Password :

Weak Passwords are much easy to compromise which often matches with the defaultpassword list. A weak password will often match with the default password list. Mostly will be a dictionary word. Sometimes will be the same as the username.

Examples:123456AbcdefQwertyPasswordAbc123


4/11

4

Password Threats :

Since passwords are the primary authentication mechanism, there were lot of techniquesused to compromise the passwords, and the various password threats are given below, Shoulder surfing

Password Guessing attack Social engineering Phone Phreaking Phishing Eavesdropping Dumpsters diving Key logging Brute forcing Password cracking tools.

Shoulder surfing is a technique of getting your password by sneaking at the time when

you are attempting to type your password. To avoid these sorts of simple attacks, checkwhether some one is watching your keyboard while you are trying to type your password,and at last try to type your password bit faster, whatever the password you use, alwaysthe recommended one the strong password.

Password guessing is an attack where the attacker tries to input your password byguessing your password, most probably the attacker tries the password as victims name,victims dads name, victims moms name, victims pets name, victims Boy/Girl friendname, victims phone number, victims Boy/Girl friends Phone number, victims DOB,victims vehicle number, victims nick name, victims username and also some passwordswhich matches the default password list.If the attacker is successful in guessing the password by trying all the above given list,then there is no need for him to go further to compromise the password authentication,then he will easily misuse or launch an attack from here, else there is a need for him toproceed further to perform the rest of the techniques to compromise the password.If the victim uses any of the password which matches the above case then, he will be intoproblem, hence that why it is always recommended to use a strong password.

Social Engineering technique is an art of deception which involves getting close to thevictim and getting their password from themselves. It is an art of making them, believe inyou and making a trap for them to fell as a victim for you. Social Engineering alsoinvolves Phone phreaking, gaining illegal access to someones phone or changing thecallers ID or number to make the victim fall as a prey for social engineers.Kevin Mitnick is well known for social engineering, and for more details on socialengineering and phone phreaking, read the book The Art of Deception by KevinMitnick.


5/11

5

Here are few message by Mitnick on social engineering and phone phreaking,

Don't give out any personal or internal company information or identifiers toanyone, unless his or her voice is recognizable and the requestor has a need to

know.

It's human nature to trust our fellow man, especially when the request meets thetest of being reasonable. Social engineers use this knowledge to exploit theirvictims and to achieve their goals.

The sting technique of building trust is one of the most effective socialengineering tactics. You have to think whether you really know the person you'retalking to. In some rare instances, the person might not be who he claims to be.Accordingly, we all have to learn to observe, think, and question authority.

Before new employees are allowed access to any company computer systems,they must be trained to follow good security practices, especially policies aboutnever disclosing their passwords.

Don't rely on network safeguards and firewalls to protect your information. Lookto your most vulnerable spot. You'll usually find that vulnerability lies in yourpeople.

Train your people not to judge a book solely by its cover--just because someone iswell-dressed and well-groomed he shouldn't be any more believable.

When the computer intruder cannot gain physical access to a computer system ornetwork himself, he will try to manipulate another person to do it for him. Incases where physical access is necessary for the plan, using the victim as a proxyis even better than doing it himself, because the attacker assumes much less riskof detection and apprehension.


6/11

6

Here is an example conversation, which is used to get the passwords in anorganization,

First the attacker, compromised the phone lines, and other IP Phones based extensionsin an organization, then he made a call to the security dept analyst, here are the

conversation made by the social engineer and the security analyst,

Security Analyst : Hello!Attacker : Hi this is John, from the development team, am I speaking to

a person from security Dept.Security Analyst : Yes, you are! I am Jenny security analystAttacker : Hi Jenny, actually we have developed a new application which is

only meant for the Trainees and the Admins, who were hired inthe previous month, and for this we need their NT usernames andpasswords of those who were appointed in the previous month, tomerge the application with a new set of DB, so will you please

send those informations to us.Security Analyst : Yes, sure! Whats you extension?Attacker : Its 80586. You can send those information to

[email protected] Analyst : Sure, but I need around an hour to do that.Attacker : Thats not an issue jenny, but make sure you send it today.

Have a great day. Bye!Security Analyst : You too. Bye!

Dumpster diving is a term that describes pawing through a target's garbage in search ofvaluable information. Its usual for us that, if we consider something unwanted or unlikelywe used to through it in a bin, its not much important to us but its a treasure for ourenemy who always keeps an eye on us.

For example if a security admin, tries to change the topology and the networkingstructure of an organization, and he got a print out of that diagrammatic representation ofthe network and hopefully the printout is not looking good and has some black dots on it,hence he tries to get a new copy of it and throws the first copy in the bin, so whathappens here is if an attacker who tries to compromise the security of that organizationgets that piece of paper, its really a valuable information for him to play with the securitymechanism in that organizations.So its really important to destroy all those wastes before going out, or getting into someones hand.


7/11

7

Phishing is a way of creating a bogus website which exactly looks like a trusted website,in order to steal your usernames and passwords.Here is an example of a phishing website which exactly resembles like Google mail.

If you clearly notice the URL of the website, instead ofwww.google.com/accounts, theURL is displayed as www.gogoogle.com/accounts/service? This in turn is a phishingwebsite, which is designed exactly like gmail to steal your gmail username and password.Once you attempt to login using your valid username and password, these credentials willbe stored in the attackers DB to launch an attack.

The important thing that you have to notice before giving any inputs in any websites isthe URL of the website, its highly recommended to check whether you are into the rightwebsite. Also if you are browsing through any banking websites or any SSL enabled

website, you are advised to check to the SSL lock on the right end corner of the browser.To err is human as per this, as we normal human beings, its sometimes possible for usto type the URL of any websites incorrectly, for example, instead ofwww.citibank.com,we might type www.citbank.com, which again will make the browser to open thephishing website if any site is registered by an attacker under that domain.


8/11

8

Eavesdropping is nothing but searching for the credentials by using the resource theattacker has. If an employee in an organization is given a set of username and passwordfor his own authentication, and he do have some limited access to that organizationresources. So using that limited access it is possible for him to browse through someother networked boxes in his organization, and by luck if the administrator is not much

concerned about the network and its credentials, then it makes the attacker bit easier togain access to those credentials and will launch an attack later. It is not recommended tostore your passwords on your computer or PDS or any digital medias or any where else.

Even I found lot of users doing it, by saving their passwords in a E-mail or a notepad file,so it really catches the attackers eye, to first compromise their email, which then willmake him much easier to compromise the rest of the resources.Few of them uses their password as their password hint, which reveals the password onthe same screen, where we login.

Key loggers are some sort of malicious softwares which is installed on the victims

computer to steal the usernames and passwords in that computer or in a network. Keyloggers actually captures all the key strokes made on a computer since from the bootinginto the OS until the user logs off or shutdowns his computer. There are also somecommercial key loggers which will mail you the key strokes once it reaches the specifiedfile size.It really doesnt matter what ever the password you use, but once if the key logger isinstalled on your computer, then hopefully the attacker own your box. Most of the keyloggers will be detected by the anti-virus, but there is an exception for custom made keylogger and some commercial key loggers. Its highly important to keep your anti-virus upto date.

Brute forcing is a technique carried out by a hacker to compromise the userauthentication. In order to launch a brute force attack, the attacker need to install somebrute forcing softwares on his computer. Brutus is one of the nice brute forcing utilitywhich can be freely downloaded from the internet.The brute forcing software will try all the combinations of keys found in the keyboarduntil it finds the right password. The delay will always depend upon the passwordstrength. If the victim uses a weak password, then it will be very easy to crack thepassword, and if it too strong then it will take around days, weeks and even months tocrack the password, but any how it will reveal the password. Also dictionary basedattacks are much easier to crack a password which is a dictionary word.

Hence its highly recommended to use a password policy, also to change the password atleast once in a week.

In the password policy it is necessary to lock the account if anyone attempts to logging inwith invalid credentials for more than three times. If you are using a web basedauthentication system, its highly recommended to use CAPTCHAS which cant be readby bots. So brute forcing comes to an end.


9/11

9

Password cracking tools : There are hell a lot of freely downloadable password crackingtools available in the internet.Passwords are not only for OS, but also is for various applications like PDF documents,

word documents, compressed folders, Internet, zipped files and so on.

Applications Password crackers

Windows L0phtcrack, john the ripper

Adobe PDF Advanced PDF password recovery

MS Office Office key

Web passwords WebBrute

Zip files Advanced zip password recovery

Here is a tool called Snadboys revelation, which is used to reveal a password, when itgets filled in the password field. When you drag the Circled + cursor over the password

field, when it contains a password, it will reveal the password in a clear text instead ofdots or asterisk.


10/11

10

Sniffing :

Passwords were also vulnerable to Sniffing attacks. If you are using a remote password or

if your password travels in a network, it is vulnerable to sniffing attacks. It doesnt matterwhat ever the medium it is transferred, it might be a wired medium or wireless mediumstill its vulnerable to sniffing attacks. Anyone can sniff any packets if he/she uses apacket sniffer in a network where the victims datagram travels. Sniffing is nothing butcapturing the packets which pass through their network hence, it is always recommendedto encrypt the data before sending it, by using any encryption services available. Therewere mushrooms of Sniffing tools available which can be freely downloaded from theinternet. Ethereal is one of the well known sniffer used by attackers.

In the above given example, Secret is the data that needs to be encrypted, which in termis a plain text, after which the plain text in converted into Cipher text by encrypting theit using a key. Cipher text is nothing but the encrypted data, which usually is inunreadable form or unrecognized form. At the receiving end, the receiver uses the samekey to decrypt the data to get the plain text.But in asymmetric encryption, the key which is used to encrypt the data differs from thekey which is used to decrypt the data, which in term is called as Private Key andPublic Key respectively.

In Symmetric encryption, both the encryption and decryption is done using the same key,hence Key management is a big issue in Symmetric Encryption. Where as in AsymmetricEncryption, Private key is used for encryption and Public Key is used for decryption.


11/11

11

For web services, it is recommended to use the SSL 128 bit encryption, which is astandard encryption. For database Administrators, it is recommended to encrypt sensitivedata even if the data is stored in the database.

Even if you encrypt the sensitive data, it doesnt take much time for an attacker todecrypt it and wrap out the clear text if you use a weak algorithm or a weak key.Its much important to choose a strong encryption algorithm, and a strong key to encryptthe data, if either one of them is not strong, then the secret will be revealed.Secrets will not be secret for ever - This is the phrase that you have to remember inthe terms of security in application development and crypto.There are some application developers who set a default username and password withroot access while developing a application, hence it will not be a secret for ever, becausehackers really do have a lot more time to crack the password, this applies in crypto too.unless you use a strong algorithm and strong key to encrypt the data, the cipher text willbe revealed one day.

These were all about the password and its threats. Kindly use all sort of techniquesmentioned above to prevent against password compromising.

- Cybercrawler

Documents

Passwords - Complete Reference