TECHNOLOGY SPECIAL REPORT
Passwords Fail the Security Test

Passwords are the first line of defense in almost every company's security scheme. But sometimes they are the weakest link because they can be easily guessed, stolen or otherwise compromised. If a firm wants to keep its information secure, then it needs to put additional security checks in place.

Passwords are widely used because they offer everyone a simple way to provide a basic level of security. "Just about every application sold today comes with an integrated password system," Pete Lindstrom, research director at Spire Security, a security consultancy, told TechNewsWorld.

Because password systems are so ubiquitous, hackers have been able to identify their limitations and develop ways to take advantage of them. The most common password attack is a frontal assault, during which a hacker uses automated hit-or-miss software to enter various user IDs and passwords until hitting upon a combination that works.

Numerous Web sites feature software programs that help hackers crack password systems, and several types of tools are quite popular for this purpose. Ultimately, what can defeat all of these tools is a sound security policy that requires users to regularly change their passwords and avoid using simple words. Still, it is helpful for consumers and IT pros to be aware of the various password-hacking techniques available to those with malicious intent.

Dictionary Attacks: Brushing Up on Vocabulary

A dictionary attack is a common way to break a password system. A dictionary file -- a text file full of dictionary words, usually in English -- is loaded into an ID cracking application (such as L0phtCrack) and then run against an application's user accounts. Because the majority of passwords are often simplistic -- a first name, street name or city -- a dictionary attack can be sufficient to break into an application.

In the past, such attacks could take days, weeks or even months. But now, thanks to increased computer-processing power, dictionary attacks can crack a password system in a matter of minutes.

One way to protect against a dictionary attack is to force users to rely on long password strings with combinations of letters, numbers and special characters that form passwords not found in the English language. However, this approach is not foolproof because hackers have developed hybrid attack software, in which a dictionary program simply adds numbers or symbols to its checks.

The dictionary-plus attack also can be effective because many people change their passwords simply by adding a number to the end of their current password. This password routine can fall into a recognizable pattern, one that users often rely on to help them remember their passwords. For instance, a user with a password of "Joseph" might change it to "Joseph1" for the sake of remembering. But this kind of password will not provide strong protection against a sophisticated dictionary attack.

But dictionary attacks against a system protected by a nondictionary word don't work particularly well. A brute-force attack is the next step. It is a hacker's most comprehensive method of attack. Here, the hacker enters numerous combinations of letters, numbers and symbols. Brute-force attacks can take time: days, weeks or even months, depending on the complexity of the password system.

Capturing Data and Duping Users

In addition to frontal attacks, hackers can rely on several other methods to break into corporate networks. A back-door attack is one in which a hacker gains access to a corporate network access point, such as a wireless access point. The hacker then might place a protocol analyzer -- better known as a network sniffer, such as Sniffer Pro or Etherpeek -- on the network.

The tool is designed to capture data that passes along a network segment. In promiscuous mode, the tool examines everything from user logins to data transfers. The hacker collects this information in a file, uses a popular hacker tool like LC4 to pull out any encrypted Windows passwords that went over the network, and converts them to plain text so they are usable user IDs and passwords.

While this is a somewhat elaborate attack, password security can be compromised in more rudimentary ways as well. Because threats often come from internal sources -- such as disgruntled employees -- breaking into a system can be as simple as finding a sticky note with a password and user ID written on it either stuck to a monitor or hidden under a keyboard.

Another technique is known as "dumpster diving." Here, an attacker goes through a firm's garbage in search of discarded documentation that might contain user IDs and passwords.

Online commerce transactions also make the process of finding passwords simpler for those bent on malicious activities. "In some cases, a hacker will call, pretend to be a help desk official and ask a person for his ID and password," noted Todd Ulrich, director of product marketing at RSA Security (Nasdaq: RSAS). Hackers also will send e-mail messages to users and ask them to respond with their ID and password.

Solution to Security Is Legion

Creating robust password policies is the most effective way to mitigate against these attacks. This process starts with forcing users to create strong passwords -- not simple words or phrases -- and periodically change them. Surprisingly, however, these are steps many corporations do not take. "In most cases, companies do not want to burden their employees with complex passwords that are often changing, so the password system is weak," Dan Blum, research director at consulting firm Burton Group, told TechNewsWorld.

Increasingly, companies are moving to two-factor identification, in which users must provide a password and something else before being granted access to a system. A smart card, such as RSA Security's SecurID, is one type of two-factor identification system. Used in conjunction with a central server, a smart card functions like an ATM card and provides users with unique identifiers that are required whenever they want to access an application.

Security keys are another option, and many browsers include software that identifies a user to an application. Biometrics is a third form of two-factor identification. Here, users enter a personal identifier -- a fingerprint, retina scan or voice sample -- before being allowed into a network.

"Biometrics are gaining interest because they rely on something the user always carries," Spire Security's Lindstrom told TechNewsWorld.

While these systems add expense and overhead to corporate networks, companies are taking a closer look at them. "Corporations are beginning to realize that password systems are not secure, so many are taking additional steps to protect their data," Burton Group's Blum told TechNewsWorld.