Data Protection and Security

VI

Identification and Entity Authentication

VII.II

Passwords

Password Rules

Since dictionary attacks are successful against predictable passwords, some systems impose “password rules” to discourage or prevent users from using weak passwords. These rules include the following:

• A lower bound on the password length. (e.g. 8 or 12 characters)
• A requirement for each password to contain at least one character from each of a set of categories. (e.g. uppercase, numeric, non alpha-numeric)
• Passwords should not be composed of account-related information such as user IDs or substrings of them.
• A rule imposing change of the password on regular time intervals.

Insecurity of Passwords:

As seen from figure 2, the classical way of authentication via passwords in early protocols is composed of 4 steps:

1. User enters the name and the password.
2. The client machine sends the name and the password across the network.
3. Server uses the password to authenticate user's identity.
4. Server authorizes access for authenticated identity.

Figure 2. How to Break Passwords

Consequently, an attacker has four main targets to break the security of a password based authentication scheme:

1. User (Social Engineering Attacks)
2. Network
   1. Passive listening
   2. Active attacks
3. Client Machine
4. Server Machine

Maybe the easiest of all four types is the social attack if you can somehow persuade the untrained user to disseminate his password e.g., by introducing yourself as the system admin over the phone. This type of attacks does not only consist of this simple case only but includes more intelligent and sophisticated techniques. (See the section on phishing attacks.)