Password Guessing
Password Guessing
Copyright(c) Management Analytics, 1995 - All Rights Reserved
Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved
Problem:
Most users use easily guessed passwords, like their Uid
spelled backwards, their phone number, or their first or last name.
This makes it very easy for an attacker to break into the system.
Prevention:
On most UNIX systems, the password changing program only
permits passwords of a minimum length and requires that they have both
letters and numbers or special characters. This too leaves many
easily guessed passwords.
Detection:
Password testing programs can be used to guess obvious password
or tell a user that a password is too obvious prior to its use.
Cure:
In most modern UNIX systems, passwords must have a minimum
length and be made up of characters and numbers, but far better password
restrictions can be easily implemented is a source version of the
`passwd' program is available for customization. In some cases, a
cryptographic time or use dependent key is appropriate for further
protection, and in still fewer cases, biometric devices may be
appropriate.
Prevention:
Another feature of many UNIX systems is password aging. In
this scheme, passwords must be changed periodically in order to remain
valid. This prevents guessed passwords or passwords gleaned by other
means from being used for an extended period of time.