“This chapter is an excerpt from the 4th edition of ‘Hacking For Dummies’ by Kevin Beaver, published by John Wiley & Sons, January 2013, ISBN 978-1118380932. For more info please visit http://www.dummies.com/store/product/Hacking-For-Dummies-4th-Edition.productCd-1118380932.html“
Chapter 7: Passwords
Password hacking is one of the easiest and most common ways attackers obtain unauthorized network, computer, or application access. You often hear about it in the headlines, and study after study such as the Verizon Data Breach Investigations Report reaffirms that weak passwords are at the root of many security problems. I have trouble wrapping my head around the fact that I’m still talking about (and suffering from) weak passwords, but it’s a reality — and, as an information security testing professional, you can certainly do your part to minimize the risks.
Although strong passwords — ideally, longer and stronger passphrases that are difficult to crack (or guess) — are easy to create and maintain, network administrators and users often neglect this. Therefore, passwords are one of the weakest links in the information security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn’t the only person who can access the system with it. That’s when accountability goes out the window and bad things start happening.
External attackers and malicious insiders have many ways to obtain passwords. They can glean passwords simply by asking for them or by looking over the shoulders of users (shoulder surfing) while they type their passwords. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, attackers can use remote cracking utilities, keyloggers, or network analyzers.
This chapter demonstrates how easily the bad guys can gather password information from your network and computer systems. I outline common password vulnerabilities and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems. If you perform the tests and implement the countermeasures outlined in this chapter, you’ll be well on your way to securing your systems’ passwords.
Understanding Password Vulnerabilities
When you balance the cost of security and the value of the protected information, the combination of a user ID and a secret password is usually adequate. However, passwords give a false sense of security. The bad guys know this and attempt to crack passwords as a step toward breaking into computer systems.
One big problem with relying solely on passwords for information security is that more than one person can know them. Sometimes, this is intentional; often, it’s not. The tough part is that there’s no way of knowing who, besides the password’s owner, knows a password.
Remember that knowing a password doesn’t make someone an authorized user.
Here are the two general classifications of password vulnerabilities:
- Organizational or user vulnerabilities: This includes lack of password policies that are enforced within the organization and lack of security awareness on the part of users.
- Technical vulnerabilities: This includes weak encryption methods and unsecure storage of passwords on computer systems.
I explore each of these classifications in more detail in the following sections.
Before computer networks and the Internet, the user’s physical environment was an additional layer of password security that actually worked pretty well. Now that most computers have network connectivity, that protection is gone.
Refer to Chapter 6 for details on managing physical security in this age of networked computers and mobile devices.