Hacking For Dummies: Chapter 7 -- Passwords

Written by Kevin Beaver; published by Wiley Publishing

This excerpt is from Chapter 7 Passwords in Hacking For Dummies written by Kevin Beaver and published by Wiley Publishing. Download this sample chapter on passwords here for free.

Password hacking

    Requires Free Membership to View

is one of the easiest and most common ways hackers obtain unauthorized computer or network access. Although strong passwords that are difficult to crack (or guess) are easy to create and maintain, users often neglect this. Therefore, passwords are one of the weakest links in the information-security chain. Passwords rely on secrecy. After a password is compromised, its original owner isn't the only person who can access the system with it. That's when bad things start happening.

Hackers have many ways to obtain passwords. They can glean passwords simply by asking for them or by looking over the shoulders of users as they type them in. Hackers can also obtain passwords from local computers by using password-cracking software. To obtain passwords from across a network, hackers can use remote-cracking utilities or network analyzers.

This chapter demonstrates just how easily hackers can gather password information from your network. I outline common password vulnerabilities that exist in computer networks and describe countermeasures to help prevent these vulnerabilities from being exploited on your systems.

If you perform the tests and implement the countermeasures outlined in this chapter, you're well on your way to securing your systems' passwords.

Password Vulnerabilities
When you balance the cost of security and the value of the protected information, the combination of user ID and secret password is usually adequate. However, passwords give a false sense of security. The bad guys know this and attempt to crack passwords as a step toward breaking into computer systems.

One big problem with relying solely on passwords for information security is that more than one person can know them. Sometimes, this is intentional; often, it's not. You can't know who has a password other than the owner.

Knowing a password doesn't make someone an authorized user.

Here are the two general classifications of password vulnerabilities:

  • Organizational or end-user vulnerabilities: This includes lack of password awareness on the part of end users and the lack of password policies that are enforced within the organization.
  • Technical vulnerabilities: This includes weak encryption methods and insecure storage of passwords on computer systems.

    Before computer networks and the Internet, the user's physical environment was an additional layer of password security. Now that most computers have network connectivity, that protection is gone.


    For more related info on this topic, visit these SearchSecurity.com resources:
  • Ask the Expert: Not changing passwords on regular basis
  • Security Policies Tip: Password policies worst practices
  • Ask the Expert: Pose your security policy and management questions to Kevin

    This was first published in May 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.