This excerpt is from Chapter 7 Passwords in Hacking For Dummies written by Kevin Beaver and published by Wiley Publishing. Download this sample chapter on passwords here for free.
Password hacking is one of the easiest and most common ways hackers obtain unauthorized computer or network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect this. Therefore, passwords are one of the weakest links in the information-security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn't the only person who can access the system with it. That's when bad things start happening.
Hackers have many ways to obtain passwords. They can glean passwords simply by asking for them or by looking over the shoulders of users as they type them in. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote-cracking utilities or network analyzers.
This chapter demonstrates just how easily hackers can gather password information from your network. I outline common password vulnerabilities that exist in computer networks and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems.
If you perform the tests and implement the countermeasures outlined in this chapter, you're well on your way to securing your systems' passwords.
When you balance the cost of security and the value of the protected information, the combination of user ID and secret password is usually adequate. However, passwords give a false sense of security. The bad guys know this and attempt to crack passwords as a step toward breaking into computer systems.
One big problem with relying solely on passwords for information security is that more than one person can know them. Sometimes, this is intentional; often, it's not. You can't know who has a password other than the owner.
Knowing a password doesn't make someone an authorized user.
Here are the two general classifications of password vulnerabilities:
- Organizational or end-user vulnerabilities: This includes lack of password awareness on the part of end users and the lack of password policies that are enforced within the organization.
- Technical vulnerabilities: This includes weak encryption methods and insecure storage of passwords on computer systems.
Before computer networks and the Internet, the user's physical environment was an additional layer of password security. Now that most computers have network connectivity, that protection is gone.
For more related info on this topic, visit these SearchSecurity.com resources:
- Ask the Expert: Not changing passwords on regular basis
- Security Policies Tip: Password policies worst practices
- Ask the Expert: Pose your security policy and management questions to Kevin