CS155 Computer and Network Security

Title: Attacking and Protecting Passwords

Write about the latest developments and issues.

Introduction:

The deployment of the web services makes use of login credential for securely transmission of information to provide the relevant information to the authorised person only. “The password is created by the user according to their choice which they can remind easily” (Garg, 2013). It helps in increasing the efficiency between users and security provided. The knowledge based authentication schemes are used for increasing the effectiveness of the information and the usability program. The development of the password is categorised into two types that are strong passwords and weak passwords. The strong passwords are those passwords which are not easily cracks down by the hackers and the weak passwords are those passwords which can be easily cracked by the hackers. “The authentication system is used for providing information to the authorised person only” (Melicher, 2016). The authorization will be granted on filling the login credentials details correctly without the expiry of the session.

Objective:

The objective of this paper is to focus on the password, attacks associated with the password, different methods used for password attacks, and others. The focus is also given on the countermeasures which should be taken to prevent the password from hacking. The discussion will be done on the different authentication methods which are used for preserving the confidentiality of the password. The analysis of the countermeasures helps in identifying the positive effects of authentication system.

What is Password?

The password is the word which is used for representing the collection of different phases which are used for securing the confidential information available on the internet. The password rules, policies, and guidelines should be used for generating it. It should be remembered by the user for carrying over the accessing of the confidential information. The strong passwords are those passwords which are not easily cracked down by the hackers and the weak passwords are those passwords which can be easily cracked by the hackers. The short length password is easy to remember but not secure while working on the internet.

Type of Password attacks:

The password attacks are classified into login details which are used for accessing the resources and gaining control over the network. The growth in innovation in the field of new tools and technologies associated with the flow of web services raises the concern of password attacks. It opens the door for the hacker to access the login details of the user. The loss of credit card information, bank account details, and other confidential information can affect the life of the user. The attacker can steal information from the databases if no preventive measures are proactively taken.

• Brute Force Attack:The brute force attack is used by the hackers to steal the information of the user from the databases. It is most reliable method with is used for attacking the confidential information. The possible comibnation of characters are tried by the attacker to login into the account of the user. The computer program can be used for guessing the string used by the user as password. The string of password is tested to get the access of the user account. The increase in length of the password increases the complexity to hack the password by the hackers. The short password can be easily accessed by the hackers but the passwords of longer length are difficult to crack down.
• Reverse Brute force attacks:The reverse brute force attack is the technique which is used for testing the single password string with multiple user IDs. The repetition of the process involves the collection of some chosen password. The deployment of password policy should be used for mitigating the reverse brute force attacks.
• Dictionary attacks:“Sometimes user thought that the single word can be used as a password by the user so he go through testing of each word of the dictionary to match up with the user ID” (Owens, 2008). The most common password which are used by the users are the words from dictionary, phone numbers, date of birth, and others. The problem of dictionary attack can be resolved by creating the password by amalgamating different words of dictionary instead of using a single word from it. The amalgamation should be done in such a way which is easy to memorise.
• Key logger attack or malware attack:“The keystroke of the user is tracked and monitored by the hackers by making use of a computer program” (Contini, 2015). The login ID and the password of the user can be recorded. It is the screen scraper program which is installed with the help of malware and viruses attached with the file. The multifactor authentication protocol is used for preserving the confidentiality of the credentials against the key logger attack.
• Rainbow table attack:The pre-computed hashes and the encrypted passwords are comes under the category of rainbow table. “The hash value is the numerical value which is calculated by making use of hashing algorithm on the encrypted password” (Towhidi, 2011). This attack required minimum time to crack the password because the time wasted in looking through the list is resolved by developing the rainbow table. It is difficult to practice in the real situation.
• Phishing attack: The user accounts are easily hacked by the phasing attacks. The password is directly given by the user to the hackers. No action required to crack the password. The phishing attack is the most common attack used by the hacker to get the online credentials of the user. The request of credential information is sent to their account by making the user frightened about that their account will be closed, extra security techniques have to be laid down, fill the following form, and many more. The user provides their PIN number, password, account details in the hand of the hackers with their own will.
• Social Engineering: The sensitive and confidential information of the user is accessed by suing some tricks or fraud. The social engineering method is used for asking the confidential information in the real world. The social engineering task performed by the hacker in the time of failure which may result into the loss of confidential information databases.
• Offline cracking of the password:The blocking of the system due to wrong entry of the password. The hash value of the password is used for converting it into plain text. The rainbow table is required for generating the plaintext to get the desired password.
• Shoulder spearing and surfing: The monitoring the password entered by the user can cause the leakage of the credentials.
• SQL injection attacks:This attack is mainly equipped with the websites which are poorly designed and constructed. The code injection technique is used for getting the password of the user.
• Guessing of the password: The possible combinations of characters are tried by the attacker to login into the account of the user. The computer program can be used for guessing the string used by the user as password. The string of password is tested to get the access of the user account.
• Resetting of the password:The resetting of the password enables the hacker to get the access of the password.

Countermeasures:

There are various prevention methods which are used to secure password from hacking. The creation of strong password makes use of password policies to be undertaken while creating the password for web services. The use of password policies ensures that the password should be composed of 7 characters which include capital and small alphabets along with some special characters. The use of dictionary words and logical sequence should be omitted to design the password. “The problem of dictionary attack can be resolved by creating the password by amalgamating different words of dictionary instead of using a single word from it” (Gasti, 2014). The amalgamation should be done in such a way which is easy to memorise. The techniques which are used to maintain the confidentiality of the passwords are depicted in the table below:

Serial No.	Description
1.	The reversing of the dictionary word can help in developing secure password.
2.	The addition of number before and after the reversed string
3.	The use of one special character helps in preventing the password from hacking.
4.	The amalgamation of small and capital alphabets increases the security of the password.
5.	Some of the alphabets should be replaced with the numbers
6.	“The password should not be generated by using numbers or alphabets only. They can be easily hacked by the hackers” (Pinkas, 2015).
7.	Use of quotations and long sentences with the use of punctuation marks is not easy to track.
8.	Use of Misspelling words
9.	The password should be changed periodically
10.	Every account or web services should make use of different passwords
11.	The lengthy password should be created
12.	Password protected screen savers should be used
13.	Th password should not be shared with anyone
14.	The password should not be written on the central location of data gathering.
15.	Security auditing tools should be used to keep track of password security.

Prevention of password with cracking attacks:

Prevention method used for Brute force cracking method: The system can be secured with the brute force attack with the creation of strong password. The strong password can be created by making use of password policies and above discussed methods.

Prevention methods for dictionary cracking attacks: “The problem of dictionary attack can be resolved by creating the password by amalgamating different words of dictionary instead of using a single word from it” (Wu, 2012). The amalgamation should be done in such a way which is easy to memorise.

Prevention method for Key logger attack: “The key logger attack can be prevented by making use of virtual keyboard for filling the confidential details to access the web services” (Silver, 2016). The one time password generation method is the most successful method to carry out the transaction securely.

Prevention method for rainbow attack: “The rainbow table should not be created for the password. The creation of table requires lot of time and resources so it is not used in real situation” (Wang, 2013).

Prevention methods for Phishing attacks: The clicking of unknown links should be avoided. The credentials should not be provided to the unknown person. The emotion should be controlled with the distribution of fake messages.

Prevention methods for social engineering attacks: “The unknown person should not be given authority to access the database of the organization in the critical situation also” (Gaw, 2006). The legal obligations should be used for providing authorization of confidential information to the unknown person.

Authentication methods used for preserving Passwords:

The authentication methods are summarised in the table below:

Authentication method	Description
Pass Phrases method	It is used for generating the private key for remembering the strong password
Conventional method	The authentication credential of the user checks with the detail of the user presented in the database.
Deployment of public key infrastructure	“This method is used for avoiding eavesdropping attacks on the user account. The public key is used for exchanging information among the participating unit” (Kulkarni, 2013).
Keystroke Dynamic method	This method is used for analysing the time taken to press the keys and the time taken in pressing the two consecutive keys.
Click pattern	“This method is used for generating stronger passwords by making use of clicking patterns” (Charathsandran, 2015)
Graphical password	The selected objects are used as a password
One time password	Generation of one time password is the most secure method used for carrying the transaction securely.
Use of Biometrics	Biometrics are used for providing authentication by making use of image of finger prints, face, retina of the eyes, and others.
Authentication panels	The authentication panel is used for rectifying the vulnerabilities associated with the components which are regularly used.
Digital Signature	The hash value is created for the digital signal which is used for accessing the information.

Conclusion:

The authentication system is used for providing information to the authorised person only. The analysis of the attack should be carried out before adopting the password prevention technique for securing the user password which helps in maintaining the confidentiality of the information which is available on the internet. It should be considered that the short length password is easy to remember but not secure while working on the internet.

References:

Charathsandran, G. (2015). Text password survey: Transition from first generation to second generation. Retrieved from http://blogs.ubc.ca/computersecurity/files/2012/04/Text-Password-Survey_GAYA.pdf

Contini, S. (2015). Methods to protect passwords in databases for web application. Retrieved from https://eprint.iacr.org/2015/387.pdf

Garg, N. (2013). Revisiting defence against large scale online password guessing attacks. Retrieved from http://www.ijsrp.org/research-paper-0413/ijsrp-p1627.pdf

Gasti, P. (2014). On the security of password manager database formats. Retrieved from https://www.cs.ox.ac.uk/files/6487/pwvault.pdf

Gaw, S. (2006). Password management strategies for online account. Retrieved from https://cups.cs.cmu.edu/soups/2006/proceedings/p44_gaw.pdf

Kulkarni, S. (2015). A survey of password attacks, countermeasures and comparative analysis of secure authentication methods. Retrieved from http://www.ijarcsms.com/docs/paper/volume3/issue11/V3I11-0046.pdf

Melicher, W. (2016). Usability and security of text passwords on mobile devices. Retrieved from https://www.ece.cmu.edu/~lbauer/papers/2016/chi2016-mobile-pwds.pdf

Owens, J. (2008). A study of password and methods used in Brute force attacks. Retrieved from http://people.clarkson.edu/~owensjp/pubs/leet08.pdf

Pinkas, B. (2015). Security password against dictionary attacks. Retrieved from http://www.pinkas.net/PAPERS/pwdweb.pdf

Silver, D. (2016). Password manager attack and defence. Retrieved from https://crypto.stanford.edu/~dabo/papers/pwdmgrBrowser.pdf

Towhidi, F. (2011). The knowledge based authentication attacks. Retrieved from http://weblidi.info.unlp.edu.ar/worldcomp2011-mirror/SAM8123.pdf

Wang, P. (2013). Strengthening password based authentication protocols against online dictionary attacks. Retrieved from https://www.dtc.umn.edu/publications/reports/2005_05.pdf

Wu, T. (2012). A real world analysis of Kerberos password security. Retrieved from http://www.gnu.org/software/shishi/wu99realworld.pdf