Weak Passwords

Password is a secret word or more technically defined a string of characters used to authenticate, gain access to resources or prove identity. It must be kept in secret from others who are not allowed to access those resources. In most cases passwords are used in common with usernames.

Passwords have been used with computers since the earliest days of computing. One of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. After typing “PASSWORD”, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.

The strength of a password is a function of length, complexity, and unpredictability. It measures the effectiveness in resisting guessing it.
Weak passwords shorten the time necessary to guess it and gain access to personal/corporate e-mails, sensitive data like financial info, credit cards, business info etc.

Examples of weak passwords:

  • Dictionary words: sky, grass, hummer etc.
  • Double words: skysky, grassgrass etc.
  • Unchanged default password of a device
  • Words with simple obfuscation : p@ssword, password1
  • Well known sequence: 123456, qwerty123, 123password

There are many other ways a password can be weak corresponding to the strengths of various attack schemes.

Attacks against passwords are classified according to the way they are implemented.

Passive online attack

In passive online attacks an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim or victim account. Types of passive online attacks are:

  • Wire sniffing – Sniffing occurs when a wire-tap is applied to computer network. All the traffic which passes to the tap is analyzed by a software and thus a password could be obtained.
  • Man in the middle – Man in the middle attack is a form of eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, but the entire conversation is controlled by him.

Active online attack

This type of attack is termed as password guessing. An attacker tries number of passwords one by one using either a manual or automated approach against victim to guess his/her password. Password guessing isn’t always as difficult because practice shows that most people uses common simple words as passwords.

Offline attack

Offline password attacks are performed from a location other than the actual computer where the password reside or were used. Offline attacks requires access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. The following types of offline attack are used:

  • Brute force attack – Brute force approach is to try to guess the password repeatedly by using mathematical algorithm. This method is very fast when used to check all short passwords, but for longer passwords the time is longer
  • Dictionary attack – Dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list of pre-arranged values. Dictionary attacks are not guaranteed to succeed, but this doesn’t mean it is less preferred method, because most users use standard dictionary word as a password.

Non-technical attacks

These attacks does not require any technical knowledge and includes the following approaches:

  • Shoulder surfing
  • Keyboard sniffing
  • Social engineering

Mitigation

Most important rule to avoid weak passwords in organizations is implementing password policies and strictly following them without exceptions.

Password polices include:

  • Minimum length of password characters – at least 6
  • Password must include special character, lower and upped cases, numbers
  • Number of wrong attempts after which the account is locked for a reasonable time
  • Changing passwords over defined time
  • History of used passwords
  • Using strong encrypting algorithms

Another important rule is to educate employees to avoid non-technical attacks:

  • Using password manager to store passwords
  • Using different passwords for different applications and sites
  • Teaching employees to memorizing techniques to assist remembering passwords