To Defend against Password Cracking of systems in Ethical Hacking, you need to know how password cracking functions. Password cracking is the act of using a computer program to try to guess an inputted password. There are many forms of attacks that can be used in this process, but they all result in the same goal of trying to gain access to an account without knowing what the true master password is. This may seem like a low-priority problem for systems administrators, as there are other security measures that can mitigate this risk; however, it’s important for ethical hackers to understand how password cracking functions and how defenses against these attacks can be put into place by properly configuring software firewalls and operating systems.
Password Policies:
- In computer security, password policies are rules that dictate how a user is allowed to select and use passwords. Password policies exist because of the significant risk of a breach in credential security posed by weak or stolen passwords.
- Password policies vary widely among companies and industries. As with any computer or network security policy, password policies should be written to achieve the intended goals of the organization while balancing its resources and risks.
- The most commonly used methods for enforcing company-wide password policy include periodic login reviews, biometric identification (for example fingerprint login), periodic monitoring for errors made when logging on, remote networks, and multifactor authentication such as smart cards or tokens embedded in USB drives.
Password Screening:
The following are the password screening tests that should be carried out before it is allowed to enter into a system.
- Password Expiration: This policy is implemented to ensure that the user changes his pass-word after a year (or any time period you specify). For example, if you give a password for one month and when you try to connect again with the same password, then you will get an error message saying that your password has expired. So, your users will change their passwords on a monthly basis, so their accounts remain secure.
- Password Strength: Password strength is calculated using a formula. This formula calculates the number of characters in the password, the number of different symbols that can be used in a password, and the amount of time before passwords should be changed. A low-strength password is one that uses a few symbols and is changed often. A high-strength password is one that uses a wide variety of symbols and is changed infrequently.
- Password length: Password length should not be more than or equal to 15 characters including spaces, digits, special characters, etc. While writing the password, make sure that it fits in your mind. For example, if your password has not more than 12 characters including digits then you may write something like 12345678901234567890 which will be easy for you to remember, but it contains less than the requirement for a strong password.
Password Cracking Function:
The attack only works against systems that use password-based authentication to gain access. Typical security measures that administrators implement in order to secure their systems can be bypassed by a password cracker. For example, if the administrator forgets his password and leaves his login details on a sticky note on the desktop, an attacker could easily use this method to gain access to the system.
This is because a password cracker attempts to guess passwords based on patterns, which can be deduced from words that appear in previous passwords that have already been guessed or are known by an attacker through some other means.
Prevention From Password Attacks:
To defend against a password cracking attack, the software firewall should be configured in such a way that it will intelligently randomize the characters of any passwords, utilizing non-standard character sets such as uppercase and lower case letters, numbers, and symbol characters. The goal is to make it as difficult as possible for an attacker to figure out a pattern. A standard keyboard utilizes only 26 letters in English alphabetical order; however, special applications can easily allow for more non-standard characters to be used when inputting text fields.
The operating system should be configured to not store passwords in plaintext so that if they are somehow compromised on the local computer, they will still remain encrypted when accessed from another system.
Types of Attacks in Password Cracking:
Some of the most common methods of password cracking are brute-force attacks and dictionary attacks, both of which can be used in password cracking against all types of systems. Brute force is the process of guessing passwords based on the numerical character sets that are available on those systems. For example, if a system utilizes a numeric keyboard, it would not be possible to use lower case letters unless you’ve changed your keyboard layout, which is not feasible for most users. Dictionary attacks passwords based on words that appear in certain combinations.
Defend Against Password Cracking:
In order to defend against password cracking, the following should be taken into consideration:
- The best method is to employ a two-factor authentication system such as biometric scanners that can be used in conjunction with a password and PIN. This can be achieved through using an OTP (One Time Password),
- messages that are sent to users’ mobile devices upon establishing login, or through the use of some other device that can be configured for two-factor authentication as well.
- If you’re able to obtain security certificates from your Certificate Authority (CA), you can set up a password encryption system where all passwords are hashed, which means the user will not have full visibility of the plaintext of their passwords.
- Have a secure system that is backed up using schedules, so even if you lose your data in a permanent manner (intentionally or unintentionally) it allows for data to be easily restored.
- Establish strong password policies that demand a minimum length of 13 characters and limit the use of words in the dictionary by using character substitution.
- Utilize non-standard characters such as uppercase and lowercase letters, along with numbers and symbol characters when creating password input fields. This will make it difficult for attackers to discern patterns in passwords through the analysis of large data sets.
- Utilize exception-based reporting monitoring and identify any suspicious activity, along with the creation of a monitoring solution that will alert you of any login attempts that cannot be mapped to an existing user account.
- Bypassing security measures by utilizing social-engineering techniques is possible, it is important for administrators to educate employees in order to defend against these attacks.
- Do not use the same password across multiple systems (unless it’s encrypted through a secure system). Use a different password for each login, and do not write them down on a sticky note that can be left on your desktop for anyone to find.