logging in or signing up Password Threats technocrawl Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 235 Category: Education License: Some Rights Reserved Like it (1) Dislike it (0) Added: November 05, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: viveksthul0012 (20 month(s) ago) Veryyyyyyyy Good I like this ppt Saving..... Post Reply Close Saving..... Edit Comment Close By: viveksthul0012 (20 month(s) ago) Veryyyyyyyy Good I like this ppt Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide 1: PASSWORD THREATS PREMKUMAR.S Slide 2: Passwords Passwords are the primary authentication mechanism for a user to protect their valuable resource from un-authorized access hence, it’s really important to choose a strong password. Based on the characters that users choose for their passwords, the Passwords are classified into 3 types, Strong Password Fair Password and Weak Password. PASSWORD THREATS Slide 3: Strong Password It basically depends upon the strength of the password. A password is said to be a strong password, only if it undergoes the following constraints, A Strong Password should have more than 6 characters and the average is 8. A Strong Password should contain alphabets, numbers and special characters. A Strong Password shouldn’t be a default password. A Strong Password shouldn’t be your name, dad’s name, mom’s name, pets name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and shouldn’t be same as your username. A Strong Password shouldn’t be a dictionary word. Never use the same password for other accounts. Never store or write down your password anywhere. Never share your passwords with any one. Change your password at least once in a week. PASSWORD THREATS Slide 4: PASSWORD THREATS You should use a password which comprises at least 6 characters, and should have alphabets, numbers and special characters and the vital thing is don’t use default passwords or any dictionary words as your password. Here were few of the default password list that are widely used, Slide 5: PASSWORD THREATS Here is a simple example for how to choose a strong password, If you see the passwords given above, each password contains more than 6 characters, contains alphabets, numbers and special characters, not a dictionary word, also is easy to remember but makes the attacker bit hard to get your password if your password undergo all the constraints stated above. Even strong passwords are vulnerable to some kind of attacks performed by a hacker but that too depends upon the technique that the hackers use to compromise the password authentication, and we will see the passwords threats later. If you want to construct your password stronger, then you can use the ‘pass phrasing’ technique to make your password bit complex. Slide 6: PASSWORD THREATS Pass phrasing Pass phrasing is nothing but a technique where you can use a first letter of phrase as your password. Example :Here is the phrase that I want to use for my yahoo email password, “My Password for yahoo E-Mail account” Slide 7: PASSWORD THREATS For creating a complex pass phrased password, you can include some number and Special characters. In the above example instead of for, I used the number 4 ( for - 4 ), and instead of E, I used 3 ( E – 3 ) , which looks similar and also is easy to remember and for A, I used @ (A - @). These are the ways that you can use to construct a strong password. Slide 8: PASSWORD THREATS Fair Password Fair passwords are the passwords which is easy to compromise and this too is classified depends upon the strength. A Fair password would mostly be dictionary words, which are easy to guess. A Fair password will match the default password list at some cases. A Fair password shouldn’t be more than 8 characters at most conditions. A Fair password sometimes will be your name, dad’s name, mom’s name, pet’s name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and same as your username. The fair passwords are somehow vulnerable to password guessing attacks, since they mostly use dictionary words. Few examples of Fair Passwords include, Slide 9: PASSWORD THREATS Weak Password Weak Passwords are much easy to compromise which often matches with the default password list. A weak password will often match with the default password list. Mostly will be a dictionary word. Sometimes will be the same as the username. Few examples of Weak Passwords include, Slide 10: PASSWORD THREATS Password Threats Since passwords are the primary authentication mechanism, there were lot of techniques used to compromise the passwords, and the various password threats are given below, Shoulder surfing Password Guessing attack Social engineering Phone Phreaking Phishing Eavesdropping Dumpsters diving Key logging Brute forcing Password cracking tools. Slide 11: PASSWORD THREATS Shoulder surfing Shoulder surfing is a art of stealing password by sneaking into the keyboard of a user when he is typing his password. To avoid these sorts of simple attacks, check whether some one is watching your keyboard while you are trying to type your password, and at last try to type your password bit faster, whatever the password you use, always the recommended one the strong password. Countermeasure The countermeasures for this kind of attack is simple, just look around whether Someone is watching your keystrokes, especially when you are typing in your username and passwords. Learn typing your password at a fast rate. Slide 12: PASSWORD THREATS Password guessing Password guessing is an attack where the attacker attempts supplying your password by guessing it. Most probably the attacker tries the password as victims name, victims dad’s name, victims mom’s name, victims pets name, victims Boy/Girl friend name, victims phone number, victims Boy/Girl friends Phone number, victims DOB, victims vehicle registration number, victims nick name, victims username and also some passwords which matches the default password list. If the attacker is successful in guessing the password by trying all the above given list, then there is no need for him to go further to compromise the password authentication. This is good enough for him to misuse or launch an attack from there. If the victim uses any of the passwords which match the above case then, he will fall as prey for this simple password guessing attack. Countermeasure Choose your passwords that are hard to guess. Never use a dictionary word as a password. Pass phrasing will help you choose the best and strong password. Slide 13: PASSWORD THREATS Social Engineering Social Engineering technique is an art of deception which involves getting close to the Victim and getting their password. It is an art of making them, believe in you and making a trap for them to fall as a victim for this attack. Social Engineering also involves Phone phreaking, gaining illegal access to someone’s phone or spoofing the caller ID or number to make the victim fall as a prey for social engineers. Kevin Mitnick is well known for social engineering, and for more details on social Engineering and phone phreaking, refer to the book “The Art of Deception by Kevin Mitnick”. Countermeasure The key point to be noticed is “Never believe in anyone” especially on calls asking you for personal details. Slide 14: PASSWORD THREATS Dumpster Diving Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. It’s usual for us that, if we consider something unwanted or unlikely we used to through it in trash, it’s not much important to us but it’s a treasure for our enemy who always keeps an eye on us. For example if a security admin, tries to change the topology and the networking structure of an organization, and he got a print out of that diagrammatic representation of the network and hopefully the printout is not looking good and has some distortions on it, hence he tries to get a new copy of it and throws the first copy in the trash, so what happens here is, if an attacker who tries to compromise the security of that organization gets that piece of paper, its really a valuable information for him to play with the security mechanism in that organizations. Countermeasure Destroy and decompose all those waste papers where you scribbled your usernames and passwords, before getting into some ones hand. Never write down your password or PIN anywhere, just memorize it. Slide 15: PASSWORD THREATS Phishing Phishing is an art of creating a bogus website which exactly looks like a trusted website, in order to steal your usernames and passwords. Here is an example of a phishing website which exactly resembles like Google mail. Slide 16: PASSWORD THREATS If you clearly notice the URL of the website, instead of www.google.com/accounts, the URL is displayed as www.gogoogle.com/accounts/service? This in turn is a phishing website, which is designed exactly like Gmail to steal your Gmail username and password. ‘Typosquatting’ is the technique used by hackers to trick user to fall as victims for phishing attack. The attackers will register domain names that look somewhat similar to the legitimate website, for example www.citibank.com, and if a user makes some mistakes in typing www.citibank.com and got into www.citbank.com then he will definitely fall as prey for phishing attack. “To err is human” as per this, as we normal human beings, sometimes for example, instead of www.citibank.com, we might type www.citbank.com, which again will make the browser to open the phishing website if any site is registered by an attacker under that domain. Once you attempt to login using your valid username and password, these credentials will be stored in the attackers DB and later the attacker can use you credentials to login with a proxy and steal money. Slide 17: PASSWORD THREATS Phishing Countermeasure Legitimate businesses will not ask for sensitive information through e-mail, if you got one, then make a call to their office and inform them about the email that you received and ask for details and if you found that the mail is a Scam, then report the mail as scam to the Mail service provider, at last they will block it. Never reply to an email asking for your personal information such as names, phone number, social security number, username and password and so on. Before Clicking on the link, just hover the mouse pointer over the link they provided and check whether the caption you got is similar to the link displayed. Always look for the HTTPS sign and the SSL pad lock icon on the browser to verify whether the site provides encryption facility. Always choose the mail service provider who offers the best spam and scam filtering mechanisms. Few browsers comes with anti-phishing feature that scans for a phishing site and updates it in database and never let the user to enter into the suspicious or phishing website. Slide 18: PASSWORD THREATS Eavesdropping Eavesdropping is nothing but searching for the credentials by using the resource the attacker has. If an employee in an organization is given a set of username and password for his own authentication, and he do have some limited access to that organization resources. So using that limited access it is possible for him to browse through some other networked boxes in his organization, and by luck if the administrator is not much concerned about the network and its credentials, then it makes the attacker bit easier to gain access to those credentials and will launch an attack later. It is not recommended to store your passwords on your computer or PDS or any digital media’s or any where else. Even I found lot of users doing it, by saving their passwords in a E-mail or a notepad file, so it really catches the attackers eye, to first compromise their email, which then will make him much easier to compromise the rest of the resources. There are few people who simply use their own password as the password hint, which reveals the password on the same screen, where we login. Slide 19: PASSWORD THREATS Key loggers Key loggers are some sort of malicious software’s which is installed on the victim’s computer to steal the usernames and passwords in that computer or in a network. Key loggers actually captures all the key strokes made on a computer since from the booting into the OS until the user logs off or shutdowns his computer. There are also some commercial key loggers which will mail you the key strokes once it reaches the specified file size. Countermeasure Most of the anti-virus software’s detect malicious key loggers. Use Virtual Keyboard while logging into banking sites. Slide 20: PASSWORD THREATS Brute forcing Brute forcing is a technique carried out by a hacker to compromise the user authentication. In order to launch a brute force attack, the attacker need to install some brute forcing software’s on his computer. Brutus is one of the best brute forcing utility which can be freely downloaded from the internet. The brute forcing software will try all the combinations of keys found in the keyboard until it finds the right password. The delay will always depend upon the password strength. If the victim uses a weak password, then it will be very easy to crack the password, and if it too strong then it will take around weeks, months and even years to crack the password, but any how it will reveal the password. Countermeasures It’s highly recommended to use a password policy, to change the password at least once in a week. It is necessary to lock the account if anyone attempts to login with invalid credentials for more than three times. If you are using a web based authentication system, it’s highly recommended to use CAPTCHA’S which can’t be read by bots. Slide 21: PASSWORD THREATS Dictionary attack Dictionary attack is also a kind of attack that aims at cracking the password of a user account. To launch a dictionary attack, the attacker should know the username of the account to be cracked and he should have a dictionary file to launch the attack. The dictionary file is nothing but a text file that consists of all the commonly used passwords which comprises of all the weak, fair and strong passwords. Slide 22: PASSWORD THREATS The dictionary attack tool will try all the strings found in the dictionary file as password against the specified user account, and if any string results in a successful login, then it will display that particular string as password. Only if the password is in the dictionary file, then it will display the password, else there is no guarantee for finding the right password. There are few dictionary attack tools that will try launching attack by using two dictionaries containing usernames and passwords respectively, which really makes the task easier, because there is no need of knowing the usernames too. Most of the attackers often choose dictionary attack because it really consumes less time than the brute forcing attack and if it fails then they will go for the brute force attack. Often attackers will use the dictionary file that contains more number of strings, thereby guaranteeing password match. A dictionary file with an average size of 10 to 25 MB is good enough. Dictionary attack Countermeasures The countermeasure for Dictionary based attack is simple, “Never use a dictionary word”. Use Pass phrasing technique to set a strong password that is hard to guess. Slide 23: PASSWORD THREATS Password cracking tools There was hell a lot of freely downloadable password cracking tools available in the internet. Passwords are not only for OS, but also for various applications like PDF documents, word documents, compressed folders, Internet, zipped files and so on. Countermeasures All the application password cracking tools mentioned above will anyhow use either one of the methods, Dictionary or Brute force, hence the countermeasures for this kind of attack will be similar to the countermeasure of Dictionary and Brute force attack in this case along with some exclusions like using CAPTCHA. Slide 24: PASSWORD THREATS Sniffing Passwords were also vulnerable to Sniffing. If you are using a remote password or if, it is vulnerable to sniffing, if it’s a FTP, Telnet, Rlogin and so on. It doesn’t matter what ever the medium it gets transferred, wired or wireless still it’s vulnerable to sniffing attacks if the packet is not encrypted. Anyone can sniff any packets if he/she uses a packet sniffer in a network where the victim’s datagram travels. Sniffing is nothing but capturing the packets which pass through their network hence, it is always recommended to encrypt the data before sending it, by using any encryption services available. There were mushrooms of Sniffing tools available which can be freely downloaded from the internet. Ethereal is one of the well known sniffers used by attackers. Slide 25: PASSWORD THREATS PLAIN TEXT PLAIN TEXT cipher TEXT SHARED KEY In the above given example, “PASSWORD” is the data that needs to be encrypted, which in term is a plain text, after which the plain text in converted into “Cipher text” by encrypting it using a key. “Cipher text” is nothing but the encrypted data, which usually is in unreadable form or unrecognized form. At the receiving end, the receiver uses the same key to decrypt the data to get the plain text. Slide 26: PASSWORD THREATS Crypto geeks thought that symmetric encryption can also be cracked by using a super computer with some effort, hence asymmetric cryptography come into play. Unlike symmetric encryption, asymmetric encryption requires two different key namely, the ‘Private Key’ and the ‘Public Key’. Slide 27: PASSWORD THREATS In Symmetric encryption, both the encryption and decryption is done using the same key, hence Key management is a big issue in Symmetric Encryption. For web services, it is recommended to use the SSL – 128 bit encryption, which is a standard encryption. For database Administrators, it is recommended to encrypt sensitive data even if the data is stored in the database. Even if you encrypt the sensitive data, it doesn’t take much time for an attacker to decrypt it and wrap out the clear text if you use a weak algorithm or a weak key. It’s much important to choose a strong encryption algorithm, and a strong key to encrypt the data, if either one of them is not strong, then the secret will be revealed. “Secrets will not be secret for ever” - This is the phrase that you have to remember in the terms of security in application development and crypto. There are some application developers who set a default username and password with root access while developing a application, hence it will not be a secret for ever, because hackers really do have a lot more time to crack the password, this applies in crypto too. Slide 28: PASSWORD THREATS These were all about the password and its threats. Kindly use all sort of techniques and countermeasures discussed above to prevent password compromising and unauthorized access to your account. Unless you use a strong algorithm and strong key to encrypt the data, the cipher text will be revealed one day. Slide 29: PASSWORD THREATS www.virtuologix.in ©2009, VIRTUOLOGIX You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Password Threats technocrawl Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 235 Category: Education License: Some Rights Reserved Like it (1) Dislike it (0) Added: November 05, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: viveksthul0012 (20 month(s) ago) Veryyyyyyyy Good I like this ppt Saving..... Post Reply Close Saving..... Edit Comment Close By: viveksthul0012 (20 month(s) ago) Veryyyyyyyy Good I like this ppt Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide 1: PASSWORD THREATS PREMKUMAR.S Slide 2: Passwords Passwords are the primary authentication mechanism for a user to protect their valuable resource from un-authorized access hence, it’s really important to choose a strong password. Based on the characters that users choose for their passwords, the Passwords are classified into 3 types, Strong Password Fair Password and Weak Password. PASSWORD THREATS Slide 3: Strong Password It basically depends upon the strength of the password. A password is said to be a strong password, only if it undergoes the following constraints, A Strong Password should have more than 6 characters and the average is 8. A Strong Password should contain alphabets, numbers and special characters. A Strong Password shouldn’t be a default password. A Strong Password shouldn’t be your name, dad’s name, mom’s name, pets name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and shouldn’t be same as your username. A Strong Password shouldn’t be a dictionary word. Never use the same password for other accounts. Never store or write down your password anywhere. Never share your passwords with any one. Change your password at least once in a week. PASSWORD THREATS Slide 4: PASSWORD THREATS You should use a password which comprises at least 6 characters, and should have alphabets, numbers and special characters and the vital thing is don’t use default passwords or any dictionary words as your password. Here were few of the default password list that are widely used, Slide 5: PASSWORD THREATS Here is a simple example for how to choose a strong password, If you see the passwords given above, each password contains more than 6 characters, contains alphabets, numbers and special characters, not a dictionary word, also is easy to remember but makes the attacker bit hard to get your password if your password undergo all the constraints stated above. Even strong passwords are vulnerable to some kind of attacks performed by a hacker but that too depends upon the technique that the hackers use to compromise the password authentication, and we will see the passwords threats later. If you want to construct your password stronger, then you can use the ‘pass phrasing’ technique to make your password bit complex. Slide 6: PASSWORD THREATS Pass phrasing Pass phrasing is nothing but a technique where you can use a first letter of phrase as your password. Example :Here is the phrase that I want to use for my yahoo email password, “My Password for yahoo E-Mail account” Slide 7: PASSWORD THREATS For creating a complex pass phrased password, you can include some number and Special characters. In the above example instead of for, I used the number 4 ( for - 4 ), and instead of E, I used 3 ( E – 3 ) , which looks similar and also is easy to remember and for A, I used @ (A - @). These are the ways that you can use to construct a strong password. Slide 8: PASSWORD THREATS Fair Password Fair passwords are the passwords which is easy to compromise and this too is classified depends upon the strength. A Fair password would mostly be dictionary words, which are easy to guess. A Fair password will match the default password list at some cases. A Fair password shouldn’t be more than 8 characters at most conditions. A Fair password sometimes will be your name, dad’s name, mom’s name, pet’s name, your Boy/Girl friend name, your phone number, your DOB, vehicle number, nick name and same as your username. The fair passwords are somehow vulnerable to password guessing attacks, since they mostly use dictionary words. Few examples of Fair Passwords include, Slide 9: PASSWORD THREATS Weak Password Weak Passwords are much easy to compromise which often matches with the default password list. A weak password will often match with the default password list. Mostly will be a dictionary word. Sometimes will be the same as the username. Few examples of Weak Passwords include, Slide 10: PASSWORD THREATS Password Threats Since passwords are the primary authentication mechanism, there were lot of techniques used to compromise the passwords, and the various password threats are given below, Shoulder surfing Password Guessing attack Social engineering Phone Phreaking Phishing Eavesdropping Dumpsters diving Key logging Brute forcing Password cracking tools. Slide 11: PASSWORD THREATS Shoulder surfing Shoulder surfing is a art of stealing password by sneaking into the keyboard of a user when he is typing his password. To avoid these sorts of simple attacks, check whether some one is watching your keyboard while you are trying to type your password, and at last try to type your password bit faster, whatever the password you use, always the recommended one the strong password. Countermeasure The countermeasures for this kind of attack is simple, just look around whether Someone is watching your keystrokes, especially when you are typing in your username and passwords. Learn typing your password at a fast rate. Slide 12: PASSWORD THREATS Password guessing Password guessing is an attack where the attacker attempts supplying your password by guessing it. Most probably the attacker tries the password as victims name, victims dad’s name, victims mom’s name, victims pets name, victims Boy/Girl friend name, victims phone number, victims Boy/Girl friends Phone number, victims DOB, victims vehicle registration number, victims nick name, victims username and also some passwords which matches the default password list. If the attacker is successful in guessing the password by trying all the above given list, then there is no need for him to go further to compromise the password authentication. This is good enough for him to misuse or launch an attack from there. If the victim uses any of the passwords which match the above case then, he will fall as prey for this simple password guessing attack. Countermeasure Choose your passwords that are hard to guess. Never use a dictionary word as a password. Pass phrasing will help you choose the best and strong password. Slide 13: PASSWORD THREATS Social Engineering Social Engineering technique is an art of deception which involves getting close to the Victim and getting their password. It is an art of making them, believe in you and making a trap for them to fall as a victim for this attack. Social Engineering also involves Phone phreaking, gaining illegal access to someone’s phone or spoofing the caller ID or number to make the victim fall as a prey for social engineers. Kevin Mitnick is well known for social engineering, and for more details on social Engineering and phone phreaking, refer to the book “The Art of Deception by Kevin Mitnick”. Countermeasure The key point to be noticed is “Never believe in anyone” especially on calls asking you for personal details. Slide 14: PASSWORD THREATS Dumpster Diving Dumpster diving is a term that describes pawing through a target's garbage in search of valuable information. It’s usual for us that, if we consider something unwanted or unlikely we used to through it in trash, it’s not much important to us but it’s a treasure for our enemy who always keeps an eye on us. For example if a security admin, tries to change the topology and the networking structure of an organization, and he got a print out of that diagrammatic representation of the network and hopefully the printout is not looking good and has some distortions on it, hence he tries to get a new copy of it and throws the first copy in the trash, so what happens here is, if an attacker who tries to compromise the security of that organization gets that piece of paper, its really a valuable information for him to play with the security mechanism in that organizations. Countermeasure Destroy and decompose all those waste papers where you scribbled your usernames and passwords, before getting into some ones hand. Never write down your password or PIN anywhere, just memorize it. Slide 15: PASSWORD THREATS Phishing Phishing is an art of creating a bogus website which exactly looks like a trusted website, in order to steal your usernames and passwords. Here is an example of a phishing website which exactly resembles like Google mail. Slide 16: PASSWORD THREATS If you clearly notice the URL of the website, instead of www.google.com/accounts, the URL is displayed as www.gogoogle.com/accounts/service? This in turn is a phishing website, which is designed exactly like Gmail to steal your Gmail username and password. ‘Typosquatting’ is the technique used by hackers to trick user to fall as victims for phishing attack. The attackers will register domain names that look somewhat similar to the legitimate website, for example www.citibank.com, and if a user makes some mistakes in typing www.citibank.com and got into www.citbank.com then he will definitely fall as prey for phishing attack. “To err is human” as per this, as we normal human beings, sometimes for example, instead of www.citibank.com, we might type www.citbank.com, which again will make the browser to open the phishing website if any site is registered by an attacker under that domain. Once you attempt to login using your valid username and password, these credentials will be stored in the attackers DB and later the attacker can use you credentials to login with a proxy and steal money. Slide 17: PASSWORD THREATS Phishing Countermeasure Legitimate businesses will not ask for sensitive information through e-mail, if you got one, then make a call to their office and inform them about the email that you received and ask for details and if you found that the mail is a Scam, then report the mail as scam to the Mail service provider, at last they will block it. Never reply to an email asking for your personal information such as names, phone number, social security number, username and password and so on. Before Clicking on the link, just hover the mouse pointer over the link they provided and check whether the caption you got is similar to the link displayed. Always look for the HTTPS sign and the SSL pad lock icon on the browser to verify whether the site provides encryption facility. Always choose the mail service provider who offers the best spam and scam filtering mechanisms. Few browsers comes with anti-phishing feature that scans for a phishing site and updates it in database and never let the user to enter into the suspicious or phishing website. Slide 18: PASSWORD THREATS Eavesdropping Eavesdropping is nothing but searching for the credentials by using the resource the attacker has. If an employee in an organization is given a set of username and password for his own authentication, and he do have some limited access to that organization resources. So using that limited access it is possible for him to browse through some other networked boxes in his organization, and by luck if the administrator is not much concerned about the network and its credentials, then it makes the attacker bit easier to gain access to those credentials and will launch an attack later. It is not recommended to store your passwords on your computer or PDS or any digital media’s or any where else. Even I found lot of users doing it, by saving their passwords in a E-mail or a notepad file, so it really catches the attackers eye, to first compromise their email, which then will make him much easier to compromise the rest of the resources. There are few people who simply use their own password as the password hint, which reveals the password on the same screen, where we login. Slide 19: PASSWORD THREATS Key loggers Key loggers are some sort of malicious software’s which is installed on the victim’s computer to steal the usernames and passwords in that computer or in a network. Key loggers actually captures all the key strokes made on a computer since from the booting into the OS until the user logs off or shutdowns his computer. There are also some commercial key loggers which will mail you the key strokes once it reaches the specified file size. Countermeasure Most of the anti-virus software’s detect malicious key loggers. Use Virtual Keyboard while logging into banking sites. Slide 20: PASSWORD THREATS Brute forcing Brute forcing is a technique carried out by a hacker to compromise the user authentication. In order to launch a brute force attack, the attacker need to install some brute forcing software’s on his computer. Brutus is one of the best brute forcing utility which can be freely downloaded from the internet. The brute forcing software will try all the combinations of keys found in the keyboard until it finds the right password. The delay will always depend upon the password strength. If the victim uses a weak password, then it will be very easy to crack the password, and if it too strong then it will take around weeks, months and even years to crack the password, but any how it will reveal the password. Countermeasures It’s highly recommended to use a password policy, to change the password at least once in a week. It is necessary to lock the account if anyone attempts to login with invalid credentials for more than three times. If you are using a web based authentication system, it’s highly recommended to use CAPTCHA’S which can’t be read by bots. Slide 21: PASSWORD THREATS Dictionary attack Dictionary attack is also a kind of attack that aims at cracking the password of a user account. To launch a dictionary attack, the attacker should know the username of the account to be cracked and he should have a dictionary file to launch the attack. The dictionary file is nothing but a text file that consists of all the commonly used passwords which comprises of all the weak, fair and strong passwords. Slide 22: PASSWORD THREATS The dictionary attack tool will try all the strings found in the dictionary file as password against the specified user account, and if any string results in a successful login, then it will display that particular string as password. Only if the password is in the dictionary file, then it will display the password, else there is no guarantee for finding the right password. There are few dictionary attack tools that will try launching attack by using two dictionaries containing usernames and passwords respectively, which really makes the task easier, because there is no need of knowing the usernames too. Most of the attackers often choose dictionary attack because it really consumes less time than the brute forcing attack and if it fails then they will go for the brute force attack. Often attackers will use the dictionary file that contains more number of strings, thereby guaranteeing password match. A dictionary file with an average size of 10 to 25 MB is good enough. Dictionary attack Countermeasures The countermeasure for Dictionary based attack is simple, “Never use a dictionary word”. Use Pass phrasing technique to set a strong password that is hard to guess. Slide 23: PASSWORD THREATS Password cracking tools There was hell a lot of freely downloadable password cracking tools available in the internet. Passwords are not only for OS, but also for various applications like PDF documents, word documents, compressed folders, Internet, zipped files and so on. Countermeasures All the application password cracking tools mentioned above will anyhow use either one of the methods, Dictionary or Brute force, hence the countermeasures for this kind of attack will be similar to the countermeasure of Dictionary and Brute force attack in this case along with some exclusions like using CAPTCHA. Slide 24: PASSWORD THREATS Sniffing Passwords were also vulnerable to Sniffing. If you are using a remote password or if, it is vulnerable to sniffing, if it’s a FTP, Telnet, Rlogin and so on. It doesn’t matter what ever the medium it gets transferred, wired or wireless still it’s vulnerable to sniffing attacks if the packet is not encrypted. Anyone can sniff any packets if he/she uses a packet sniffer in a network where the victim’s datagram travels. Sniffing is nothing but capturing the packets which pass through their network hence, it is always recommended to encrypt the data before sending it, by using any encryption services available. There were mushrooms of Sniffing tools available which can be freely downloaded from the internet. Ethereal is one of the well known sniffers used by attackers. Slide 25: PASSWORD THREATS PLAIN TEXT PLAIN TEXT cipher TEXT SHARED KEY In the above given example, “PASSWORD” is the data that needs to be encrypted, which in term is a plain text, after which the plain text in converted into “Cipher text” by encrypting it using a key. “Cipher text” is nothing but the encrypted data, which usually is in unreadable form or unrecognized form. At the receiving end, the receiver uses the same key to decrypt the data to get the plain text. Slide 26: PASSWORD THREATS Crypto geeks thought that symmetric encryption can also be cracked by using a super computer with some effort, hence asymmetric cryptography come into play. Unlike symmetric encryption, asymmetric encryption requires two different key namely, the ‘Private Key’ and the ‘Public Key’. Slide 27: PASSWORD THREATS In Symmetric encryption, both the encryption and decryption is done using the same key, hence Key management is a big issue in Symmetric Encryption. For web services, it is recommended to use the SSL – 128 bit encryption, which is a standard encryption. For database Administrators, it is recommended to encrypt sensitive data even if the data is stored in the database. Even if you encrypt the sensitive data, it doesn’t take much time for an attacker to decrypt it and wrap out the clear text if you use a weak algorithm or a weak key. It’s much important to choose a strong encryption algorithm, and a strong key to encrypt the data, if either one of them is not strong, then the secret will be revealed. “Secrets will not be secret for ever” - This is the phrase that you have to remember in the terms of security in application development and crypto. There are some application developers who set a default username and password with root access while developing a application, hence it will not be a secret for ever, because hackers really do have a lot more time to crack the password, this applies in crypto too. Slide 28: PASSWORD THREATS These were all about the password and its threats. Kindly use all sort of techniques and countermeasures discussed above to prevent password compromising and unauthorized access to your account. Unless you use a strong algorithm and strong key to encrypt the data, the cipher text will be revealed one day. Slide 29: PASSWORD THREATS www.virtuologix.in ©2009, VIRTUOLOGIX