Passwords

Passwords, are a secret combination of letters, numbers, and/or characters that only the user should know.

                                                 Why length and complexity is important?

          

The length  and complexity of  an password  will presents an obstacle for anyone attempting  to decipher . A password that may consist of  "XYZ", will be considerably easier to decipher than a password that can say "stix007candy1886a". The challenge for people trying to break passwords is the “keyspace”, which is the total number of possibilities for a password based on the number of characters it uses. Therefore, it’s not complexity (the number of characters used) but the length of the password that makes the password a strong repellent for hackers.


                                                                 Attacks on passwords  

  
Password Attacks, are ways the one tries to figure out a password to gain access.

To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks. Commonly used attacks are:

Password Guessing, The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Though this approach is
a possibility, in reality, this is not practical.

Brute-Force Attack, in which the attacker tries every possible combination of characters for a password, given a character set (e.g., abcd…ABCD…1234…!@#$) and a maximum password length.The most successful and time-consuming of attacks.

Dictionary attacks,  work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. Hybrid attacks, are variations of the dictionary attack. They add special characters, may spell words backward or misspell words, or add numbers.


Password Resetting, A case where rather figuring out or "cracking" the password, attackers find it easier to reset the password by using a program re-setter

Password Cracking, Password cracking is the process of taking a captured password hash (or some other obscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. Basically, software will learn the password.

 Rainbow tables, These days, password crackers are computing all possible passwords and their hashes (Unique strings of data) in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password.

 Password sniffing, Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process.




Password Capturing, Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet.


                                                 
                                                           Limitations on Password Supplements

Password Supplements,  Are solutions that have been developed to help users avoid using poor password practices. Autocomplete or HTTP Authentication Passwords are examples.

The limitations and disadvantages are that users are restricted to using the computer that has the password information previously stored, they must avoid clearing the passwords from the computer, and the passwords may be vulnerable if another user is allowed access to their computer.


                                          Project Case 10-4: Use Cognitive Biometrics

Is this type of cognitive biometrics effective? If you came back to this site tomorrow, would you remember the three faces?  Yes, Yes

                                                    

                                                     Other types of authentication

 Authentication, The steps that ensure that the individual is who they claim to be.

Tokens, is typically a small device with a window display. A token works in conjunction with a authentication server to share a unique algorithm once every 30 to 60 seconds.

Cards, Smart Cards and Common Access Cards are examples. Both have integrated chips that assist in executing the authentication process.

Standard Biometrics, Uses a person's unique physical characteristics.

Behavioral Biometrics, Uses the normal actions that a user may perform.

Keystroke Dynamics, Type of behavioral biometric which recognizes a users unique typing pattern.

Voice Recognition, Recognizes a users voice.

Cognitive Biometrics, Uses perception and facial recognition through a familiarization process.

Single Sign-On, A single authentication spread across multiple networks.

Windows Live Id, Standard password and username.

Open ID, Identity in which only a URL backed up by a username and password. Provides a means to say that the user owns the specific URL.

Open Authorization, A technology to avoid using multiple passwords. Example: google+






















http://www.soliditsolutions.com/2011/03/the-importance-of-password-length-and-complexity/
http://windowsitpro.com/security/types-password-attacks