Username and Password Authentication
Providing a username and password combination is the most common method for identification and authentication. It is easy and inexpensive to implement. This type of authentication requires “something you know”. In addition to being the most common type of authentication, it is also the weakest. Passwords are stolen thru physical or electronic means or are simply guessed by an attacker. Username/password authentication is often used in combination with some other type of authentication such as certificates or token to provide additional security.
Similar to a password is a pass phrase, which is a complete sentence or other meaningful combination of words that is easier to remember than a password, but more secure simply because it’s longer. In a system that employs pass phrases, the actual phrase is not the value that is transmitted to the authentication service. Instead, the client on which the pass phrase is entered uses it to unlock a private key or generate a message digest, called a virtual password, which is actually used to authenticate. In a one-time password system, the authentication server challenges the client by sending the generation parameters. The client replies with a unique value based on the parameters received from the server combined with the pass phrase entered by the user. This value is unique and used only “one time”. Obviously this is the most secure type of password as the pass phrase itself is never transmitted over the network. And even if the virtual one-time password is captured, an attacker won’t be able to reuse it.
Another type of passwords is cognitive passwords , which refers to answering challenge questions to which you should know the answer. For example, “What is your mother’s maiden name?”, “What is your favorite food?”, “What is the color of your pet?”. Cognitive passwords should not be used for logon purposes and critical systems in general because the answers to the questions are usually fairly easy to guess. Typical use of cognitive passwords is retrieving lost user credentials for a website for example. The level of security provided by cognitive password can be increased if the user is allowed to make up the question and/or if multiple questions need to be answered.
As I mentioned earlier, password authentication is the most common, but also the weakest authentication method. When an attacker gets hold of a legitimate username and password, he won’t need a lot of skills to ‘hack’ into the system. The following paragraphs describe some of the most common vulnerabilities of username and password authentication and the actions you can take to mitigate the risks.
Password guessing is probably the most common attack related to authentication. Whether the attacker manually tries different usernames and password at a console or thru a remote connection, or uses password guessing utilities to automate the process, it usually requires a little amount of skills.
Dictionary attacks – an attacker can connect a dictionary to a password guessing utility to automatically try actual words as passwords until it successfully logs on to the system.
Brute-force attacks – instead of using a dictionary with actual words, the attacker can use a password generator to try out every possible combination of characters until the valid password is discovered. A password generating utility is often combined with a dictionary, which is known as a hybrid password attack, to suggest passwords bas ed on common password formats. For example, by combining actual English words or names with common strings as in “london123”, or “Joe007”.
Trojan Horses – can be used by an attacker to install a key logger or fake login interface that captures the user credentials while the user is typing them. The malicious utility will typically use IRC or email to send the captured results to the attacker.
Shoulder surfing – Another attack that presents a vulnerability to the use of passwords for authentication is shoulder surfing. This refers to a malicious individual, your trusty co-worker or a visiting client for example, looking over your shoulder to see what password you are typing on your keyboard so he can make a mental note of it and use it at later time to gain access and perform malicious deeds that will be blamed on you.
To reduce the risk of becoming a victim of one of the former attacks, every system should enforce a password policy, preferably coded into the authentication system in addition to being written on paper. Following are some of the common policy for password authentication systems.
Users must be required to use strong and complex passwords that include different type of characters and do not include actual words. A good example of a strong password is 8BsI$S#95i. But keep in mind that it needs to be possible for a human being to remember the password without feeling the need to write it down. The recommended minimum password length is 8 characters. Do not use dictionary or other easy guessable words such as names, 'matrix' or 'qwerty'. When a person or password checker tries to guess the password, it will typically start with common words. Additionally, a password should never be derived of the corresponding username.
As a password ages, chances of it getting disclosed will increase. When a password is discover ed by an attacker but the user is unaware of it, it may be exploit ed for a long time without anyone but the attacker knowing that the system has been compromis ed. Therefore, a maximum password age must be set to enforce users to change their password on a regular basis. When a user must change the password, he should not be allowed to reuse a previous password, thus the authentication system needs to keep a password history for every user.
Another important policy setting every authentication system should support is a limiting the maximum number of login attempts. I.e. when someone tries to logon to the same user account and enters and incorrect passwords more than 3 times in a row, the account should be locked. The account should be locked for a certain amount of time, or until an administrator unlocks it. This obviously makes it much more difficult for an attacker to use dictionary and brute force attacks to guess the password.
A password should always be encrypted, whether it is stored on the local client, a remote authentication server, or transmitted over the network. A good authentication system does not send password over the network medium to prevent eavesdropping and replay attacks. Instead it should use a challenge/response system
Last but not least, users should be educated so they become aware of the threats and risks associated with password authentication. Passwords should be kept private and stored securely and should not be written down.
It’s also important to learn users to recognize a social engineering attack, in which an attacker tries to steal a password from a user by non-technical means.