is the procedure of identifying an entity based on a private detail. For
example, a human can be identified by his passport, his fingerprint etc. With
system, other unique characteristics are needed to prove their identity.
Some of the
ways and forms for computer systems authentication can be categorized as below:
• What the user
knows _ authentication basing on what the user knows (e.g. PIN, pass
• What the user
has _ authentication based on the something the user possess (e.g. memory
card, a key, smart card tokens)
• What the user
is _ authentication based on biometric features : physiological features such as fingerprint
or behavior feature like keyboard dynamics.
Classification by authentication approaches
Knowledge based authentication is the most used type of
Instances of knowledge-based
authentication are among others: secrete passwords, pass sentences or pass
phrases, PIN (Personal Identification Numbers) or even a graphical image.
To prove users
and authenticate them over a public (Unsecure) network for instance the Internet,
they are used digital signatures and digital certificates which are encrypted
using a public and private key to make them secure enough. A secure entity
provides the PKI (Public key Infrastructure).
based on what one owns is also referred as token based authentication and as
named, it is built on a secrete device that a user has. It is mainly intended
to physical objects a user has as token (a key for a door for example). Need to
mention a very important disadvantage of possession-based authentication as a
token may have been stolen or copied then presented, so it doesn’t authenticate
the user as perfectly. There are other administrative problems and the fact
that the user has always to carry his/her token whenever needs access.
Tokens are regularly
distributed in two main sets: memory and
On one hand,
memory tokens stock information as it is and need not to process it. A largely
used memory token is the magnetic card, which is used as a combination of what
a user has and what he knows (PIN) ,this adds a layer of security to the token.
Memory token are not expensive to make, and with a password they become more
secure other than using a pin by itself or a token itself.
Smart tokens on
the other hand, they possess a circuit in them making them able to process the
data in some sort. As memory tokens, smart tokens also are more secure when
they are used with a knowledge based authentication like a PIN. The most used
smart token is the one embedded with
tokens, smart tokens incorporate one or more embedded integrated
circuits which enable them to process information. Like memory tokens, most
smart tokens are employed to authenticate together side to a knowledge-based authenticatingsystem
such as a PIN. One of the many kinds of smart tokens is the one embedded with a
chip that contains a microprocessor. The fact that they’re easily portable and
secured with high cryptography have led them to be the most used in e-commerce.
Obviously, smart tokens are expensive than memory token but they provide better
security and greater flexibility. Smart tokens high security level, with a use
of an OTN (one time password) from a bank for instance, make it possible to
purchase online on public internet without wide insecurity.
authentication is an authentication on what the user is. It is the unique
humanly features that are used to identify them whether be anatomical,
behavioral characteristics and features associated to user or physiological.
Biometric authentications rely on the fact that humans are different, and some
features exist one person and him only in the world. So it is possible to prove
an identity based on who the user claims to be, rather than his knowledge-based
or possession-based authenticity. The
system involved in biometric is a pattern recognition consisting 3 principal
The users’ individualqualities are recorded
and stored in reference documents to be compared for future authentication to define
if there is a match. The accurateness of different types of biometric systems can
be checked by evaluating the percentage of errors that the system give:
rejection, which is, false non-match (type I error)
acceptance, which is, false match (type II error).
system with low level of erroneous results is much more preferred for
B. Password Cracker
password cracking mechanism is an application that is used to figure out what a
hidden password is. The use of password crackers can be done illegally by black
hat crackers or legally, by a professional testing the robustness of a password
or when trying to figure out a forgotten password.
crackers, to identify hidden passwords, use two main methods:
force and dictionary attack
attack consist of running a set of words guessing the correct password until it
finds it. It does a good job of finding the correct length then throws guesses
until the correct combination is found according to the computer system.
of characters within a predetermined length until it finds the combination
accepted by the computer system. When conducting a dictionary
dictionaries come in various themes, from politic, music, religions to kids
programs are a hybrid of words and numbers, sometimes even symbols. For
instance if “ali” doesn’t work as a password, it can throw in
“ali90” “ali91”, “ali92” etc. It doesn’t limit the guessing to readable
words only because, password crackers can go up to using pre-encrypted words
from various cryptographic algorithms.
In order to
protect your system against todays attack, one should be aware of any new trend
in hacking so as to check if his system is secured against it. It is imperative
to audit ones system regularly to check if infiltrated(by running cracking
tools on your own organization), change the passwords regularly, make passwords
longer and including various symbols.
§ Password Guessing:
The most common type of attack is password guessing. Attackers can
guess passwords locally or remotely using either a manual or automated
approach. Password guessing isn’t always as difficult as you’d expect. Most
networks aren’t configured to require long and complex passwords, and an
attacker needs to find only one weak password to gain access to a network. Not
all authentication protocols are equally effective against guessing attacks.
For example, because LAN Manager authentication is case-insensitive, a password
guessing attack against it doesn’t need to consider whether letters in the
password are uppercase or lowercase.
Many tools can automate the process of typing password after
password. Some common password guessing tools are Hydra, for guessing all sorts
of passwords, including HTTP, Telnet, and Windows logons; TSGrinder, for
brute-force attacks against Terminal Services and RDP connections; and SQLRecon,
for brute-force attacks against SQL authentication.
Automated password guessing programs and crackers use several
different approaches. The most time consuming—and most successful—attack method
is the brute-force attack, in which the attacker tries every possible
combination of characters for a password, given a character set and a maximum
Dictionary attacks work on the assumption that most passwords
consist of whole words, dates, or numbers taken from a dictionary. Dictionary
attack tools require a dictionary input list. You can download varying
databases with specific vocabularies (e.g., English dictionary, sports, even
Star Wars trivia) free or commercially off the Internet.
Hybrid password guessing attacks assume that network administrators
push users to make their passwords at least slightly different from a word that
appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most
mix uppercase and lowercase characters, add numbers at the end of the password,
spell the password backward or slightly misspell it, and include characters
such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid
§ Password Resetting:
Attackers often find it much easier to reset passwords than to
guess them. Many password cracking programs are actually password resetters. In
most cases, the attacker boots from a floppy disk or CD-ROM to get around the
typical Windows protections. Most password resetters contain a bootable version
of Linux that can mount NTFS volumes and can help you locate and reset the
A widely used password reset tool is the free PetterNordahl-Hagen
program. Winternals ERD Commander 2005, one of the tools in Winternals
Administrator’s Pak is a popular commercial choice. Be aware that most
password reset tools can reset local Administrator passwords residing only on
local SAM databases and can’t reset passwords in Active Directory (AD).
§ Password Cracking:
Although password resetting is a good approach when all you need is
access to a locked computer, resetting passwords attracts unwelcome attention.
Attackers usually prefer to learn passwords without resetting them. Password
cracking is the process of taking a captured password hash (or some other
obscured form of the plaintext password or challenge-response packets) and
converting it to its plaintext original. To crack a password, an attacker needs
tools such as extractors for hash guessing, rainbow tables for looking up
plaintext passwords, and password sniffers to extract authentication
Hash guessing: Some
password cracking tools can both extract and crack password hashes, but most
password crackers need to have the LM password hash before they can begin the
cracking process. (A few tools can work on NT hashes.) The most popular Windows
password hash extractor is the Pwdump family of programs. Pwdump has gone
through many versions since its release years ago, but Pwdump4 is the current
To extract password hashes using Pwdump, you must have
administrative access to the local or remote machine you’re attacking, and you
must be able to use NetBIOS to connect to the admin$ share. There are ways
around the latter requirement, but the tool alone requires it. When you run
Pwdump4 successfully, it extracts LM and NT password hashes and, if Windows’
password history tracking is active, all hashes for older passwords. By
default, Pwdump saves password hashes to the screen, but you can also output
them to a file, then feed them to a password cracker.
Many password cracking tools accept Pwdump-formatted hashes for
cracking. Such tools usually begin the cracking process by generating some
guesses for the password, then hashing the guesses and comparing those hashes
with the extracted hash.
Common password crackers are John the Ripper and Cain & Abel.
John the Ripper, which comes in both Unix and Windows flavors, is a very
fast command-line tool and comes with a distributed-computing add-on. Cain
& Abel can break more than 20 kinds of password hashes, such as LM, NT,
Cisco, and RDP.
Rainbow tables: These
days, password crackers are computing all possible passwords and their hashes
in a given system and putting the results into a lookup table called a rainbow
table. When an attacker extracts a hash from a target system, he or she can
simply go to the rainbow table and look up the plaintext password. Some
crackers (and Web sites) can use rainbow tables to crack any LM hashes in a
couple of seconds. You can purchase very large rainbow tables, which vary in
size from hundreds of megabytes to hundreds of gigabytes, or generate your own
using Rainbow Crack. Rainbow tables can be defeated by disabling LM hashes and
using long, complex passwords.
Password sniffing: Some
password crackers can sniff authentication traffic between a client and server
and extract password hashes or enough authentication information to begin the
cracking process. Cain & Abel both sniffs authentication traffic and cracks
the hashes it retrieves. Other sniffing password crackers are ScoopLM and
KerbCrack, a sniffer and cracker for cracking Kerberos authentication traffic.
None of these can crack NTLNv2 authentication traffic.
§ Password Capturing:
Many attackers capture passwords simply by installing a
keyboard-sniffing Trojan horse or one of the many physical keyboard-logging
hardware devices for sale on the Internet. Symantec reports that 82
percent of the most commonly used malware programs steal confidential information.
Most steal passwords. For $99, anyone can buy a keyboard keystroke logger that
can log more than 2 million keystrokes. Physical keyboard logging devices less
than an inch long can easily be slipped between the keyboard cord and the
computer’s keyboard port. And let’s not forget how easy it is to sniff
passwords from wireless keyboards even from a city block away.
Nowadays, many users choose a weak passwords that to memorize quicly and some of them use a strong
passwords which make them write it down. They have to have store the
information securely. Many institution and awareness security club trying to
train users to store their written passwords in a secure place. Don not write
it on keyboards or in easily cracked password-protected computer files. Users
should store a written password in some secure locations. For example, a locked
file cabinet or office safe, Full (whole) disk encryption which can prevent an
intruder from ever accessing the OS and passwords stored on the system and a secure
password management tool such as LastPass and Password Safe.
The ethical user should show the importance of securing their
passwords. Here are some tips on how to do that:
how to create secure passwords. Refer
to them as passphrases because people tend to take passwords literally
and use only words, which can be less secure.
can happen when weak passwords are used or passwords are shared.
build user awareness of social engineering attacks.
Enforce (or at least encourage the use of) a strong
password-creation policy that includes the following criteria:
and lowercase letters, special characters, and numbers.
words or create acronyms from a quote or a sentence.
punctuation characters to separate words or acronyms.
passwords every 6 to 12 months or immediately if they’re suspected of
different passwords for each system.
common slang words or words that are in a dictionary.
completely on similar-looking characters, such as 3 instead
of E, 5 instead of S, or ! instead
reuse the same password within at least four to five password changes.
password-protected screen savers.
storing user passwords in an unsecured central location.
Here are some other password-hacking countermeasures:
auditing to help monitor and track password attacks.
applications to make sure they aren’t storing passwords indefinitely in
memory or writing them to disk. A
good tool for this is WinHex.
systems patched. Passwords
are reset or compromised during buffer overflows or other denial of
service (DoS) conditions.
user IDs. If
an account has never been used, delete or disable the account until it’s
needed. You can determine unused accounts by manual inspection or by using
a tool such as DumpSec. It is tool that can enumerate the Windows
operating system and gather user IDs and other information.
As the security administrator in your organization, you can
enable account lockoutto prevent password-cracking attempts. Account
lockout is the ability to lock user accounts for a certain time after a certain
number of failed login attempts has occurred. Most operating systems have this
Do not set it too low and too high to give a malicious user a
greater chance of breaking it. Somewhere between 5 and 50 may work for you.
Consider the following when configuring account lockout on your systems:
account lockout to prevent any possibilities of a user DoS condition,
require two different passwords, and don’t set a lockout time for the
first one if that feature is available in your operating system.
permit auto reset of the account after a certain period — often referred
to as intruder lockout don’t set a short time period. Thirty
minutes often works well.
A failed login counter can increase password security and minimize
the overall effects of account lockout if the account experiences an automated
attack. A login counter can force a password change after a number of failed
attempts. If the number of failed login attempts is high and occurred over a
short period, the account has likely experienced an automated password attack.
Other password-protection countermeasures include
authentication methods: For
instance, challenge/response, smart cards, tokens, biometrics and digital
password reset: This
functionality lets users manage most of their password problems without
getting others involved. Otherwise, this support issue becomes expensive,
especially for larger organizations.
the system BIOS: This is
especially important on servers and laptops that are vulnerable to
physical security threats and vulnerabilities.