Problems with Passwords
Passwords are an easily implemented, low-cost security measure used across online services. The proliferation of password use (mainly due to the increase in online services), and increasingly complex password requirements, places an unrealistic demand on most users.
Inevitably, users will devise their own mechanisms to cope with these many password demands. This includes writing down passwords, re-using the same password across multiple platforms and systems, or using simple and predictable password creation strategies. All of these techniques offer low security and make it easy for cyber attackers.
How are passwords discovered?
Attackers use a variety of techniques to discover passwords. Many of these techniques are freely available and documented on the Internet, and use powerful, automated tools. Approaches to discovering passwords include:
- Social engineering e.g. phishing; coercion.
- Manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
- Intercepting a password as it is transmitted over a network.
- ‘Shoulder surfing’ – observing someone typing in their password at their desk.
- Installing a keylogger to intercept passwords when they are entered into a device.
- Searching an enterprise’s IT infrastructure for electronically stored password information.
- Brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
- Finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
- Compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.