All that often stands between a malicious hacker and access to valuable, confidential data is a few keystrokes: an end-user's or admin's password. Yet even the most carefully crafted and well-guarded password is susceptible to being stolen from an innocent victim, and crafty miscreants have numerous techniques at their disposal to do the dirty deed.
In order to protect users and your organization from a password attack, you must first have a clear understanding of the various tactics available. From there, you can develop policies and educate users to prevent such an attack from succeeding. Today, we'll take a closer look at some of the types of attacks, as well as the best approaches to squelching them.
[ Are your organization's passwords strong enough? | Roger shares more advice on managing passwords: "Password size does matter" | "Getting a grip on better password hashes" | "Ask better password questions" ]
The most popular password attacks include authentication bypassing; guessing; network sniffing or eavesdropping; keystroke logging; hash cracking; credential replaying; and social engineering.
This attack entails simply hacking around the authentication check. A common example: A would-be hacker uses a separate boot disc with the ability to read the targeted data partitions so as to bypass the normal log-on prompts and access the data directly. Another example would be an attacker using a remote buffer overflow (or SQL injection, and so on) against a running application or service to gain unauthorized access to the data.
Here, an attacker attempts to guess a user's password by making multiple (sometimes thousands or millions) log-on attempts using proposed passwords against some sort of log-on prompt. Common guessing locations include the normal log-on prompt, Web-based e-mail, FTP, and remote management consoles.