Question

Case study adapted from: [Brooks hear. ICT Services Management (Custom Edition EBook), Pearson Education Australia, 2015. ProQuest Ebook Central, http://ebookcentral.proquest.com] Reusable Passwords The most common authentication credential is the reusable password, which is a string of characters that a user types to gain access to the resources associated with a certain username (account) on a computer. These are called reusable passwords because the user types the password each time he or she needs access to the resource. Unfortunately, the reusable password is the weakest form of authentication, and it is appropriate only for the least sensitive assets. Ease of Use and Low Cost: The popularity of password authentication is hardly surprising. For users, passwords are familiar and relatively easy to use. For corporate IT departments, passwords add no cost because operating systems and many applications have built-in password authentication. Dictionary Attacks The main problem with passwords is that most users pick very weak passwords. To break into a host by guessing and trying passwords, hackers often use password dictionaries. These are lists of passwords likely to succeed. Running through a password dictionary to see if a password is accepted for a username is called a dictionary attack. Password dictionaries typically have three types of entries: a list of common password, the words in standard dictionaries, and hybrid versions of words such as capitalizing the first letter and adding a digit at the end. If a password is in one of these dictionaries, the attacker may have to try a few thousand passwords, but this will only take seconds. No password that is in a cracker dictionary is adequately strong, no matter how long it is. Fortunately, good passwords cannot be broken by dictionary attacks. Good passwords have two characteristics. First, they are complex. It is essential to have a mix of upper and lower case letters that does not have a regular pattern such as alternating uppercase letters lowercase letters. It is also good— and some would say necessary— to include non-letter keyboard characters such as the digits (0 through 9) and other special characters (&, #./,?, etc.). If a password is complex, it can only be cracked by a brute-force attack, in which the cracker first tries all combinations of one character passwords, all combinations of two-character passwords, and so forth, until the attacker finds one that works. Complexity is not enough, however. Complex passwords must also be long. For short complex passwords, brute force attacks will still succeed. Beyond about 10 or 12 characters, however, there are too many combinations to try in a reasonable period of time. Overall, while long complex passwords can defeat determined attacks, most users select passwords that can be cracked with dictionary attacks. Reusable passwords are no longer appropriate in an era when password cracking programs can reveal most passwords in seconds or minutes. Passwords are only useful for non-sensitive assets.

Answer the following questions: 1. Discuss and explain the types of passwords are susceptible to dictionary attacks? [5 marks]

2. Can a password that can be broken by a dictionary attack be adequately strong if it is very long? Justify your answer. [5 marks]

3. Explain the types of passwords can be broken only by brute-force attacks. [5 marks]

4. What are the characteristics of passwords that are safe from even brute-force attacks? [5 marks]

5. Discuss why is it undesirable to use reusable passwords for anything but the least sensitive assets

Answer 1

1. Discuss and explain the types of passwords are susceptible to dictionary attacks?

Password:  

A password or passcode is referred to as a secret string of characters which is used to confirm the identity of a user.

It generally includes letters,digits and other symbols.It does not need to be an actual word and can be a nonword and hard to guess,which is a desirable property of passwords.

Dictionary attacks:

This is a bruteforce technique where hacker tries thousands of possibilities such as words in dictionary or previously used passwords,which can be obtained from lists of past security breaches.

The main problem with passwords is that most users pick very weak passwords. To break into a host by guessing and trying passwords, hackers often use password dictionaries. These are lists of passwords likely to succeed. Running through a password dictionary to see if a password is accepted for a username is called a dictionary attack. Password dictionaries typically have three types of entries:

a list of common password,

the words in standard dictionaries

and hybrid versions of words such as capitalizing the first letter and adding a digit at the end. If a password is in one of these dictionaries, the attacker may have to try a few thousand passwords, but this will only take seconds.

2. Can a password that can be broken by a dictionary attack be adequately strong if it is very long? Justify your answer.

No password that is in a cracker dictionary is adequately strong, no matter how long it is. Fortunately, good passwords cannot be broken by dictionary attacks.

Good passwords have two characteristics. First, they are complex. It is essential to have a mix of upper and lower case letters that does not have a regular pattern such as alternating uppercase letters lowercase letters. It is also good— and some would say necessary— to include non-letter keyboard characters such as the digits (0 through 9) and other special characters (&, #./,?, etc.).

For Example ::If a password is in the form of Malini123@ ,Malini being in your name or surname or somewhere in your user profile,then it can be easily cracked by the hacker.The password may be long and contains all the needed characteristics,still the hacker hacks it.

Take another example UnDeRsTaNd1981#,this one is a more complex to crack as the password contains both lower case and uppercase and the numbers that are not in a sequence.

@ is the most commonly used special symbol either at the start or end of passwords.

So,being complex doesn't make the password safe from dictionary attacks.

3. Explain the types of passwords can be broken only by brute-force attacks.

Bruteforce attack

A bruteforce attack is a technique where an attacker submits many passwords or passphrases with the hope of guessing the correct one eventually.The attacker systematically check all the possibilities until he guesses the correct one.

The passwords that are complex can only be cracked by using brute-force attacks.

the cracker first tries all combinations of one character passwords, all combinations of two-character passwords, and so forth, until the attacker finds one that works. Complexity is not enough, however. Complex passwords must also be long.

For short complex passwords, brute force attacks will still succeed. Beyond about 10 or 12 characters, however, there are too many combinations to try in a reasonable period of time.

4. What are the characteristics of passwords that are safe from even brute-force attacks?

Strong passwords

If you’re a network administrator, you can help prevent successful brute force attacks by requiring that users input strong passwords. For example, you could require a certain length and that the password contains specific features, such as a mix of upper and lower case letters along with numbers and special characters.

From a user perspective, a strong password is imperative. Using a common password or a simple word from a dictionary will make it far easier for a brute force attack tool to land on the right one. Coming up with a solid password can be difficult, but here are a few tips:

• Longer passwords are better as it will take a sequential tool longer to run through the iterations.
• Using a combination of upper and lower case letters, numbers, and special characters will make a password stronger.
• Never using the same password for different accounts will make you less vulnerable to certain types of attack.

Of course, coming up with and remembering strong passwords can be difficult, but there are tools to help you. These include password generators, password strength testing tools, and password management applications

5. Discuss why is it undesirable to use reusable passwords for anything but the least sensitive assets

Reusable passwords are no longer appropriate in an era when password cracking programs can reveal most passwords in seconds or minutes. Passwords are only useful for non-sensitive assets.

Reusable Passwords :

If a user uses a same password for all the accounts including email,social networks,bank accounts,office logins etc,then such passwords are called as reusable passwords.

It may be easy for the user to remember the password,but the attacker can easily crack the passcode.

Using one password for everything is convenient, but it’s also dangerously insecure. We examine the case of Mark, a young designer.

Mark is a regular guy. He has e-mail, Facebook, Instagram, Amazon, eBay, Steam, and Battle.net accounts, not to mention ones for another dozen online stores and a forum dedicated to his favorite video game. The accounts are all linked to his e-mail.

One day, the customer database of one of the online stores Mark has an account at suffers a leak (apparently it was kept unencrypted on an open-access server). No credit card information is stolen, but e-mail addresses, names, and passwords are. At first glance, there seems no particular reason to worry. Such leaks happen, and this is just a small online store — can you blame a humble shopkeeper for not being a cybersecurity expert?

But the cybercriminals who ransacked the database decide to try their luck — maybe someone on the list uses the same password for their e-mail account? They strike gold: Mark uses the same password everywhere, handing the cybercriminals access to his e-mail on a platter. There, they find not only photos that Mark sent to Lucy, but messages from Amazon, eBay, and other companies. Surely Mark doesn’t use the same password for these accounts too? They try logging in to his Amazon account, and presto: same password again.

Finding a credit card already linked to the Amazon account, the cybercriminals quickly snag a couple of iPhone Xs. Next up is Facebook, where the attackers ask Mark’s friends for money: “Guys, I really need to borrow some cash. I get paid tomorrow, so I’ll pay you right back, promise.” Some of the people who get the message really are Mark’s friends, and send money — to the cybercriminals’ account, of course.

But they haven’t finished yet. The intruders now change the passwords for every account they can access, which in Mark’s case means all of them.

One of the Facebook friends smells a rat and decides to phone Mark to check if it’s really him asking for a loan. Horrified, Mark rushes to his computer to change his Facebook password. But it’s already been changed by the cybercriminals, and Mark is locked out. He tries to recover the password and asks Facebook to send him a password reset link by e-mail — but he can’t access that either, for the same reason.

Mark realizes that he’s been well and truly hacked. He calls his bank, freezes credit cards, tries desperately to change the passwords for the few services that haven’t been snatched yet, and phones his friends to explain that it’s not him asking for money. He apologizes to those who have already transferred funds to the scammers, and vows to pay it all back.

And finally, Mark solemnly swears that he shall never use the same password for different services ever again for as long as he lives, and he’ll enable two-factor authentication wherever possible. (This case study is taken from Kaspersky blog)

So, it may be fine to use same password for less sensitive assets,example being some social networking sites or some login to blogs etc., but the office login,shopping ,email,accounts of banks must be always different from one another.

As the reusable passwords are prone to dictionary attacks and bruteforce attacks ,these are considered to be appropriate only for the least sensitive assets.