Attacks on Passwords

There are two types of attacks that are commonly
used against passwords: dictionary and brute force attacks. Dictionary attacks
are performed by software tools that contain hundreds or thousands of words
that are commonly chosen as passwords. The attacker usually captures a
hashed value of a password, or password file, and the tool then compares each
of the words preloaded into the tool to the captured password until a match is
uncovered.
Another type of attack on passwords is abrute force attack. In this attack type,
a tool is used that tries every possible character and sequence of characters until
the correct password is uncovered. So whereas a dictionary attack will attempt
to match the password using a long list of words, a brute force attack will try and
crack a password one character at a time.
Dictionary and brute force programs are not just used by evildoers. Oftentimes,
systems administrators will use them to test the strength of users’ passwords to
enforce a set password policy. Because many useful tools reside on the Internet,
or are accessible to the general public, attackers and security professionals are
typically equipped with the same firepower. Security professionals simply need
to be smarter and take more precautions to protect against these never-ending
threats. The following are some countermeasures for password attacks:
•Do not allow passwords to be sent in clear text.
•Encrypt the passwords with encryption algorithms or hashing functions.
•Employ one-time password tokens.
•Rotate passwords on a frequent basis.
•Employ intrusion detection systems (IDS) to detect dictionary or brute
force attacks.
•Use dictionary tools to find weak passwords chosen by users.
•Protect password files properly.