Password Strength and Efficient Password Cracking Techniques

Analyzing Password Strength and Efficient Password Cracking

Introduction

The paper describes different password creation policies that enable individuals to develop strong passwords and prevent an attack from cybercriminals. Notably, it pays close attention to two main categories of password cracking techniques, including brute force attacks and dictionary attacks. The discussion will also suggest the main countermeasures against these attacks. The essay will employ a systematic review of secondary materials as the methodology of choice. The sources selected for the paper are credible and authored within the past 20 years. The structure of the paper will encompass the approach, background, body of discussion, and conclusion.

Approach

The comprehensive systematic review of credible secondary sources will explore the two main types of password attack types. The research will contextualize the issue and view it from an organizational and individual perspective. The primary outcome is to understand the various password vulnerabilities and the most appropriate countermeasures. The research will holistically assess the secondary sources for their credibility before using the information. Although articles written within the last ten years are the most appropriate, credible sources authored in the previous two decades will also be admissible. The overall goal is to identify password vulnerability and provide information that could help develop an effective security policy.

Background and Discussion Relevant to the Topics

Passwords are an essential security future in modern dispensation. They play a critical role in providing individuals with primary cybersecurity. Passwords apply in a host of real-life scenarios, including internet services, ATMs, mobile authentication, and windows login (Raza et al., 2012). However, weak or predictable passwords can easily be cracked by criminals or intruders. The two main strategies of cracking passwords include brute force attack and dictionary attack. Brute force attack is premised on trial and error until an intruder finds the password combination for a particular host. Research demonstrates that it is a time-consuming method that could take hours to days. Solutions to brute force attacks include locking out unsuccessful password attempts and using the CAPTCHA verification (Dave, 2013). Dictionary attacks can either be offline or online. The method involves generating a pool of possible passwords based on probability. In an online dictionary attack, the intruder can confirm their dictionary of words with the server. Some of the solutions against dictionary attacks include developing strong passwords, increasing password entropy, account locking, and delayed response for online dictionary attacks. Ultimately, an organization must have a strong password policy to prevent these types of attacks.

Body of Discussion

Brute force attack is a password cracking technique based on trial and error. The attacker uncovers the password by attempting different possible alphanumeric combinations. The method primarily takes advantage of individuals and agencies that demonstrate carelessness when selecting passwords and usernames (Dave, 2013). The attacker begins by gathering much-needed information about the user. Some of the useful information that the attacker could consider are one's full name, vehicle number, and room number, among other pertinent information. The attacker tries various combinations throughout a period that could take hours, days, months, and even years (Dave, 2013). Bošnjak, Sreš, & Brumen (2018) emphasize that Brute Force's attack mode relies on raw computing power rather than the attacker's cleverness. However, it is a time–consuming technique that requires the attacker to have patience.

A brute force attack means that the attackers use several forceful strategies with the intention of breaking into the system. Despite being among the oldest techniques, hackers regard it as one of the most popular strategies (Dave, 2013). Attackers have to put in much effort to ensure that their schemes succeed. In a simple brute force attack, the cybercriminals attempt to use their logic to guess the possible password combination. They do not rely on any software or technology to achieve their goal. A hybrid brute force attack employs both guessing technics and technology-driven means (Bošnjak et al., 2018). In reverse brute force attacks, the attacker begins with a known password as they seek to find the unknown combination. Some attackers use automated tools that can generate numerous passwords per second, increasing the probability of success.

Several countermeasures have been developed against the brute force password attack. The most common strategy is to lock the account after a certain number of failed password attempts. The lockout can last for a specific duration ranging from an hour to a day (Dave, 2013). Also, some accounts are set so that after the lockout, the administrator is the only person who can open them. Dave (2013) also proposes using the Completely Automated Public Turing test to tell Computers and Human Apart (CAPTCHA). The CAPTCHA technique provides simple tests that are easy for humans but difficult for machines. The user is required to enter the code in the provided space. The code changes whenever the user refreshes the page. The method is primarily effective in preventing brute force attacks spearheaded by machines and robots. In some organizations, the CAPTCHA techniques record 100% efficiency.

A special type of brute force attack is known as the dictionary attack. In defining this kind of attack, Nam et al. (2013) say, "An attacker exhaustively enumerates all possible passwords to discover the correct password" (3245). Law enforcers and forensic officials have also used the technique to gain access to systems that are password protected. According to the authors, two types of dictionary attacks exist, including online and offline ones. In offline dictionary attacks, the individuals verify the password guesses from offline sources. However, in the online dictionary attack, the individual confirms the password guesses with the server (Nam et al., 2013). However, online dictionary attacks are less common because many servers are designed to lock out problematic clients. The dictionary attack is relatively simple, especially when the user employs simple words as passwords.

The dictionary attack relies typically on words and phrases that are commonly used as passwords. The only solution lies in advising individuals to create unique passwords. A good password must have a combination of words, symbols, and numbers. Individuals should never reuse or share their passwords. According to Narayanan& Shmatikov (2005), the surest way to prevent dictionary attacks is to increase the password's entropy. Here, the objective is to reduce the predictability of the passwords. Online dictionary attacks are primarily stopped using two primary strategies, including delayed response and account locking. The delayed response tactic ensures that the server lags in providing the yes/no answers to the intruder. Such a move ensures that they do not verify large sets of possible passwords (Belenkiy et al., 2015). In account locking, the account is locked out after several unsuccessful attempts.

In preventing both types of attacks, individuals must endeavor to choose their passwords carefully. In most cases, people avoid complicated passwords because of the likelihood of forgetting. As a result, they sort to passwords such as favorite sport, spouse name, or birth date. However, these passwords are easily guessed by criminals (Dave, 2013). Some hackers possess automated tools that can generate a dictionary of possible passwords. Therefore, individuals and organizations must develop a password policy to prevent attacks. The policy should focus on four fundamental aspects. The minimum length of any password should be seven characters. The password must include upper and lower case letters. Individuals must also include numeric characters in the password. Special characters such as &, @, and % should also make part of the password (Dave, 2013). Such a policy can guarantee primary security for an organization and the stakeholders.

Some researchers recommend that using a 16 character password is the most effective way of enhancing security. Although the 8-character password is also recommended, it should be regarded as the starting point (Yıldırım & Mackie, 2019). Besides the length of the password, scholars in IT propose the use of digits as a way of strengthening the password entropy. Excluding dictionary words is also critical, thanks to its impact on increasing entropy. With the advent of technology, computer systems, including browsers such as Google's Chrome, have password managers. They enable an individual to develop strong passwords that are difficult for intruders to crack (Yıldırım & Mackie, 2019). Users are also advised to create a culture of changing their passwords. However, the habit of changing passwords has its drawbacks as the individual can be tempted to create a weak password. Therefore, individuals should only consider changing their passwords if they have sufficient reasons to believe that they are vulnerable.

Conclusion

Individuals and organizations must develop strong password policies. Effective passwords have at least seven characters and combine alphanumeric and non-alphanumeric symbols. Strong passwords also incorporate uppercase and lower case letters. Brute force and dictionary attacks have a high success rate, especially where individuals disregard basic password rules. More importantly, individuals should avoid sharing passwords and using the same combination across various platforms. Countermeasure strategies should range from locking out the system after unsuccessful attempts and using the CAPTCHA strategy against non-human interventions. The delaying server response is the most effective strategy against online dictionary attacks. Organizational members should receive regular training on password security to prevent security lapses.

References

Belenkiy, M., Acar, T., Morales, H. N. J., & Kupcu, A. (2015).  U.S. Patent No. 9,015,489 . Washington, DC: U.S. Patent and Trademark Office.

Bošnjak, L., Sreš, J., & Brumen, B. (2018, May). Brute-force and dictionary attack on hashed real-world passwords. In  2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)  (pp. 1161-1166). IEEE.

Dave, K. T. (2013). Brute-force Attack "Seeking but Distressing." Int. J. Innov. Eng. Technol. Brute-force ,  2 (3), 75-78.

Nam, J., Choo, K. K. R., Kim, M., Paik, J., & Won, D. (2013). Dictionary attacks against password-based authenticated three-party key exchange protocols.  KSII Transactions on Internet and Information Systems (TIIS) ,  7 (12), 3244-3260.

Narayanan, A., & Shmatikov, V. (2005, November). Fast dictionary attacks on passwords using time-space tradeoff. In  Proceedings of the 12th ACM conference on Computer and communications security  (pp. 364-372).

Raza, M., Iqbal, M., Sharif, M., & Haider, W. (2012). A survey of password attacks and comparative analysis on methods for secure authentication.  World Applied Sciences Journal ,  19 (4), 439-444.

Yıldırım, M., & Mackie, I. (2019). Encouraging users to improve password security and memorability.  International Journal of Information Security ,  18 (6), 741-759.