Question

Reusable Passwords The most common authentication credential is the reusable password, which is a string of characters that a user types to gain access to the resources associated with a certain username (account) on a computer. These are called reusable passwords because the user types the password each time he or she needs access to the resource. Unfortunately, the reusable password is the weakest form of authentication, and it is appropriate only for the least sensitive assets.Ease of Use and Low Cost: The popularity of password authentication is hardly surprising. For users, passwords are familiar and relatively easy to use. For corporate IT departments, passwords add no cost because operating systems and many applications have built-in password authentication.Dictionary Attacks The main problem with passwords is that most users pick very weak passwords. To break into a host by guessing and trying passwords, hackers often use password dictionaries. These are lists of passwords likely to succeed. Running through a password dictionary to see if a password is accepted for a username is called a dictionary attack. Password dictionaries typically have three types of entries: a list of common password, the words in standard dictionaries, and hybrid versions of words such as capitalizing the first letter and adding a digit at the end. If a password is in one of these dictionaries, the attacker may have to try a fewthousand passwords, but this will only take seconds. No password that is in a cracker dictionary is adequately strong, no matter how long it is. Fortunately, good passwords cannot be broken by dictionary attacks. Good passwords have two characteristics. First, they are complex. It is essential to have a mix of upper and lower case letters that does not have a regular pattern such as alternating uppercase letters lowercase letters. It is also good—and some would say necessary—to include non-letter keyboard characters such as the digits (0 through 9) and other special characters (&, #./,?, etc.). If a password is complex, it can only be cracked by a brute-force attack, in which the cracker first tries all combinations of one character passwords, all combinations of two-character passwords, andso forth, until the attacker finds one that works. Complexity is not enough, however. Complex passwords must also be long. For short complex passwords, brute force attacks will still succeed. Beyond about 10 or 12 characters, however, there are too many combinations to try in a reasonable period of time.Overall, while long complex passwords can defeat determined attacks, most users select passwords that can be cracked with dictionary attacks. Reusable passwords are no longer appropriate in an era when password cracking programs can reveal most passwords in seconds or minutes. Passwords are only useful for non-sensitive assets.

1.Discuss and explain the types of passwords are susceptible to dictionary attacks?[5marks]

2.Can a password that can be broken by a dictionary attack be adequately strong if it is very long?Justify your answer. [5marks]

3.Explain the types of passwords can be broken only by brute-force attacks.[5marks]

4.What are the characteristics of passwords that are safe from even brute-force attacks?[5marks]

5.Discuss why is it undesirable to use reusable passwords for anything but the least sensitive assets

Answer 1

A1) Passwords that include words from the English dictionary, or common strings like "12345" and combinations of the above 2 can be easily broken by a dictionary attack. If one wants to have a password that is insusceptible to dictionary attacks, they should try long, complex passwords that are uncommon and unique.

A2) The length of a password that can be broken by a dictionary attack will not significantly affect the chances of resisting a dictionary attack, as irrespective of the length of the string, as long as it exists in a dictionary or is a combination of common words and dictionary words, it will be tried by the attacker.

A3) A good rule of thumb for a password that can only be broken by brute force is one that holds no rhyme or reason. If one character is not related to the pervious character by any line of logic, then the password can only be broken by brute force. Employing a mix of special characters, numbers, and random capitalization mixed with length will ensure that a password can only be broken by brute force.

A4) Passwords that are long, have numbers and special characters, and do not have commonly used passwords or words from the English dictionary can only be broken by a brute force attack.

A5) Many times, a security leak can lead to a list of password and account pairs to be released on the internet. This has happened with secure companies who were betrayed by a disgruntled employee, or a bug in the latest patch of software. When this happens, an attacker will try the same password on your accounts on other platforms, and if you've reused a password, even if its a 256 bit pseudorandom string, it will be of no use.