Password Shortcomings

Passwords are a knowledge based authentication method and require precise recall.
 
Knowledge based authentication has historically been the most used because of blind adherence to tradition and for the fact that users are now familiar with it.

Monthly Password Reset

What does a monthly password reset actually benefit? Even if did lock out the ‘hacker’ for that period – depending on the length of the password holding period – the hacker could still get access to the systems until the password is reset. What does it actually cost your organization in terms of password loss?

Threats

Dictionary Attacks: dictionary attacks are getting more complicated, and they can guess based on probability. Historically admins fought back against dictionary attacks for enforcing password complication.

Shoulder Surfing: somebody can spy over you as you type in your password

Guessing: somebody can guess the password based what they know about you

Loss: when somebody forgets their password and has to reset it

Snooping: either intercepting via email or the user making a mistake during a presentation

Exposure: accident or unintended behavior results in release of the password

Inference: the user or organization has a set pattern that the attacker can ‘infer’

Disclosure: the user active telling other people their password, such as manager’s telling their admins their passwords.

 

Counters

  1. Run a password cracking program against your own users passwords.
  2. Increase computational overhead for cracking passwords, like salting.
  3. User awareness training!
  4. Think Outside The Box: Stanford Password Policy

Future password possibilities? 

Graphical/Image Based Passwords – Alternative to Text Based passwords.

More Reading

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/

 

Advertisements