Study On Information Security And Passwords Information Technology Essay

These days, we use our information everywhere. And to secure them we use passwords. We have so many passwords that we can’t keep tracing them all. We don’t update them and when we do, it’s very hard to come up with good ones that we can still remember, and for that reason we don’t change them for months, even years .We often forget these passwords and always try it to keep them simple so we can remember them and this is the problem. Karachi, Sind, Pakistan, UNHP Research explain that “Human memory is limited and therefore users cannot remember secure passwords as a result of which they tend to pick passwords that are too short or easy to remember””. It is very important for every user to use or to create complex passwords to prevent gaining unauthorized access to a system or data.

First requirement to make sure of the best security use of a password is to ensure that users are choosing high quality (or strong) passwords. Weak passwords are one of the most critical security threats to systems, users and networks. In the current context, passwords are the primary method for authentication, despite the availability of better solutions. Thus, protection of passwords and ensuring strong passwords against simple attacks is of the utmost importance.

Passwords must not only be complex another requirement is hashing. Password is most often defined as a string of eight (8) or more characters that mix uppercase and lowercase letters, numbers and special characters. According to Roger A. Grimes “I was recently contacted by the company that manages my stock to open up a new Web site log-on account. During new account creation, it asked me to input a secure password. So, I put in my normal password that is 21 characters long followed by 10 characters that are unique per Web site, but only uses lowercase letters. The length of the base password prevents basic password cracking and guessing, while the additional characters make the overall password (or pass phrase) unique so that no two resources ever have the same password”( Password size does matter). Strong passwords do not resemble words, and are best when generated at random. One suggested approach is picking a passphrase and either using the passphrase in its entirety or picking the leading letters from each word in the phrase and substituting numbers and special characters for some of the letters. Certain password hashing algorithms produce stronger hash values with longer passwords while others produce stronger hash values based on increased complexity of the password.

In addition to requiring users to choose strong passwords, it is also incumbent upon system administrators to require that passwords be changed frequently or they change it by their selves. Conventional wisdom indicates that no password should have a lifetime greater than 90 days, and for highly critical systems the lifetime should be 30 days or less,and never use the same password for more than account. “One way humans deal with password overload is to rely on a single password and simple variants for nearly every electronic interface in their lives–as I did. That’s highly problematic because if that all-powerful password is cracked at just one site, it gives a hacker the keys to the kingdom.”

Password cracking may be used as a preventative measure to ensure that strong passwords are being used by system users. Most passwords today are maintained as hashed, rather than encrypted. James McGlinn a developer and project manager for Nerds Inc say:” A hash (also called a hash code, digest, or message digest) can be thought of as the digital fingerprint of a piece of data. You can easily generate a fixed length hash for any text string using a one-way mathematical process. It is next to impossible to (efficiently) recover the original text from a hash alone. It is also vastly unlikely that any different text string will give you an identical hash – a ‘hash collision’. These properties make hashes ideally suited for storing your application’s passwords. Why? Because although an attacker may compromise a part of your system and reveal your list of password hashes, they can’t determine from the hashes alone what the real passwords are.” Hashing the password means taking a password string and using it

3

as an input for an algorithm and that results in an output that does not resemble the original input. Unlike encryption, hashing only works one way and cannot be decrypted. Hashing passwords before storing them is far more efficient than encrypting and decrypting passwords on the fly. Thus, when a user attempts to login, their submitted password is hashed, and the hashed value is compared with the hashed value stored on the system. Given an exact hash match, the login is approved and the user is considered authenticated.

Passwords are typically subjected to a combination of two kinds of attacks: brute-force and dictionary (or word-list). Brute-force attacks attempt to iterate through every possible password option available, either directly attempting to test the password against the system, or in the case of a captured password file, comparing the hashed or encrypted test password against the hashed or encrypted value in the file. In a dictionary attack, a list of common passwords, oftentimes consisting of regular words, is quickly run through and applied in a similar manner as with the brute-force attack. According to Newsweek “A dictionary attack that tries every single possible combination is an exhaustive brute-force attack. While this type of attack will technically be able to crack every conceivable password, it will probably take longer than your grandchildren’s grandchildren would be willing to wait.” Dictionary attacks are oftentimes very effective unless systems require users to choose strong passwords. For example, the maintainers of the popular open-source password cracking tool John the Ripper sell collections of word lists on CD. The CDs include word lists for more than 20 human languages, plus common and default passwords and unique words for all combined languages. For around $50 an individual wanting to execute a massive dictionary-based attack could have access to over 600MB of word list data. The ready availability of such data sets for use in dictionary attacks means that, unless a strong password is selected, it is very likely that the password can be cracked in a reasonable amount of time. This is especially true of passwords that are based on human readable words.

Strong and complex password cracking is primarily a protective countermeasure. It is designed to ensure that passwords used in various authentication mechanisms are strong enough to prevent casual dictionary based attacks. It is assumed, however, that a brute-force attack can be 100% successful given enough time. As such, it is vitally import to combine password

4

cracking with strict systematic requirements for strong passwords and regular password rotation. Password cracking helps ensure the Confidentiality and Integrity of data and systems by

propping-up the authentication system. Setting a strong password prevent the unauthorized information access and secure the data and the information from hackers.

Work Cited

Erickson, Jon. Hacking: The Art of Exploitation. San Francisco, Calif: No Starch Press, 2008. Internet resource.

Roger A. Grimes.”Password size dose matter” infoworld, jul 2006. Web. 29 March 2011.

Qureshi, M. Atif, Arjumand Younus, and Arslan Ahmed Khan. “Philosophical Survey of Passwords.”International Journal of Computer Science Issues (IJCSI) 7.4 (2010): 8-12. Computers & Applied Sciences Complete. Web. 29 March. 2011.

Summers, Nick. “BUILDING A BETTER PASSWORD.” Newsweek 154.16 (2009): E2- E9. Academic Search Complete. EBSCO. Web. 29 March. 2011.

James McGlinn “Password Hashing” Php Security ,Feb 2005. Web. 29 March 2011.