By: Prabhmeet Kaur Dang, BCA 6th Sem, 2nd Shift
Increasing use of Internet in each and every activity of our lives accentuates the issue of security and privacy. Our personal account information and data even with password protection is quite prone to attacks by hackers. They use various types of attacks to crack our passwords but the most common type of attack is password guessing. Nowadays, a large number of passwords for online accounts ranging from banking, shopping to social media are vulnerable to online guessing. Targeted online guessing is when criminals guess a specific victim’s password for an account. We like keeping our passwords based upon our interests, hobbies, pets, family and password crackers exploit knowledge of their victim’s personal information and make a few, often correct, password guesses. Attackers can guess passwords locally or remotely using either a manual or automated approach. Some common password guessing tools are Hydra for guessing all sorts of passwords, including HTTP, Telnet, and Windows logons, TSGrinder and SQLRecon.
Recently there have been a large number of data breaches, putting more personal information into the hands of criminals. Password guessing is a much underestimated threat which results in more damaging and serious consequences. To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks.
· Brute Force Attack: The most time consuming and most successful attack method. It is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of attack may take long time to complete.
· Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password.
· Hybrid attack: Hybrid password guessing attack assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary.
Some of the prevention techniques are:
· There are a number of techniques for preventing brute force attacks. The first is to implement an account lockout policy. For example, after three failed login attempts, the account is locked out until an administrator unlocks it.
· Another complicated technique is progressive delays.
In this, user accounts are locked out for a set period of time after a few failed login attempts.
In this, user accounts are locked out for a set period of time after a few failed login attempts.
· Another technique is to use a challenge-response test to prevent automated submissions of the login page.
· Use of strong passwords. It requires users to choose passwords of eight letters or more with some letters and numbers, or requiring one special character.
· Provide a good password policy for the users in your organization. Warn them about the danger of telling their password to other users, writing their password down on paper, or even storing their password in a file.
· Enable account lockouts as it will significantly slow, most password-guessing attacks, whether manual or automated.
· Use upper and lowercase letters, special characters, and numbers. Never use only numbers. Such passwords can be cracked quickly.
· Use punctuation characters to separate words or acronyms.
· Change passwords every 6 to 12 months regularly.
· Use different and variable length passwords for each system.
· Don’t use common slang words or words that are in a dictionary.
· Don’t reuse the same password within at least four to five password changes.
· Test your applications to make sure they aren’t storing passwords indefinitely in memory or writing them to disk.
“Privacy is not an option and it shouldn’t be the price we accept for just getting on the Internet.”
0 comments:
Post a Comment