Method of relaying password to the authenticator
Passwords can be vulnerable to snooping while being transmitted to the authenticating machine or person. In an extreme case, if a password is transmitted by publication in a large circulation newspaper, the password will be entirely insecure. If the password is carried as electrical signals on a wire between the access point and the central system controlling the password database, it is subject to snooping by any of a variety of wire tapping methods and will also be insecure, though less obviously so. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection.
See cryptography for ways in which the passing of information can be made more secure in the face of assorted snooping methods.
Likelihood that a password can be guessed
Studies of live computer systems have consistently shown that about 40% of all user-chosen passwords are easily guessable.
- A password might be guessed if a user chooses an easily-discovered piece of personal information as a password (such as a student ID, a boyfriend's name, a birthday, a telephone number or a license plate number). These are obvious choices to both user and attacker alike. Personal data about almost everyone are now available from various sources (many on-line), and so may be assumed to be known by an attacker.
- A password is vulnerable if it can be found in a list. Dictionaries (often in computer-readable form) are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems.
Likelihood that a password can be discovered
Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail or threats.
Active theft/snoop/extortion preemption measures such as automatic expiry of passwords can work (eventually) even in cases in which a password is compromised without its owner being aware of it. This precaution annoys many users and so is used far less often than security concerns would suggest. And dumpster diving is surprisingly fruitful for situations in which sensitive printed data is thrown away with insufficient precaution.
The process of obtaining passwords by psychological manipulation of users is called social engineering. "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" works astonishingly often.
Likelihood that a password can be remembered
The most secure passwords are long, random collections of characters (including upper and lower case, numbers and other symbols if allowed), which are unfortunately quite hard for most people to remember. Users with such passwords are mightily tempted to stick a Post-it note to their monitor, and a password that has been written down is no longer secure.
Forcing users to use system created 'random passwords' ensures the password will have no connection with that user (and thus are hard to guess from knowledge of the user), and shouldn't be findable in any dictionary (ruling out 'dictionary attacks'). Several operating systems have included such a feature. This is helpful from a security viewpoint. However, such passwords are very hard for users to remember, and therefore this measure is likely to be self-defeating as users will write them down. This is not helpful from a security viewpoint. An ideal balance is not easy to find.
Procedures for changing passwords
Usually, a system will need to provide a way to change a password, either because the user believes that the password has been compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g. via wire tapping) before the new password can even be installed in the password database. If the new password is given (even securely) to a compromised employee, it will likely be lost (this sort of problem is publicly known to have happened many times at assorted organizations, companies, etc).
Form of stored passwords
If the system stores every password in an encrypted form then access to the actual password will be difficult for a snooper (or a snooper's program) poking around within the system, whilst validation remains possible, thanks again to cryptography.
However, even when using encryption procedures to provide increased security, no password system can be totally immune to attack. There exist tools which can determine some plaintext passwords, given a copy of the file containing the encrypted ones. By comparing the encrypted outcome of every word (and many word variations) from some word collection (like a dictionary), a program can automatically attack many computer systems. These dictionary attack tools demonstrate by existence the relative strengths of different password choices against such attacks. This is an variant of a brute force attack in which all possible passwords are tried (or, in the case of a dictionary attack, a sizeable number are tried).
Weak and strong passwords
A weak password would be one that was short or which could be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. A strong password would be sufficiently long, random, or otherwise produceable only by the user who chose it, so that 'guessing' for it will require too long a time. The length of time deemed to be 'too long' will vary with the attacker, with the attacker's resources, and with how the importance of the password to the attacker. 'Weak' and 'strong' have only a rather fuzzy meaning in this context, and are very often misused in ways implying considerable precision. But note that a 'strong password' in this sense can still be stolen, tricked, or extorted from a user, or overheard by tapping some communications medium, or copied from a Post-It note. Strong has a severely limited meaning in this context.
Examples of weak passwords would be god, sex, password, rover, smile and 12/3/75; most would be easily found with a dictionary search attack and the last is likely some personally significant date readily discoverable with a little research. Examples of stronger passwords would be tastywheeT34, partei@34!, and #23kLLflux. These passwords are not dictionary attackable being in no actual dictionary, use combinations of lower and upper case letters / numbers / symbols, and are sufficiently long to make direct brute force search impractically costly. Note that some systems do not allow symbols like #, @ and ! to be in passwords; in such cases, another letter or number or two may offer equivalent security. Also note that, having been published in the Wikipedia as password examples, these are no longer good choices: examples from public articles about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack.
It has been said that the ideal password should be "impossible to remember" and thus unlikely to be guessable. Such passwords are surely stronger, that is harder for an attacker to discover; but they are more often written down, and so easier to discover by looking under drawers or keyboards or behind pictures or for Post-it notes. Such passwords regularly evoke violations of another bit of common, and wise, advice -- "never write a password down anywhere, no matter what". Requiring 'strong' passwords thus often causes the unintended consequence that many such passwords are less secure by increasing the likelihood that they will be lost, snooped, copied, or otherwise compromised.
See also
For information on the game Password, see Password game.
Source | Copyright
