Risks of passwords
暂无分享,去创建一个
convenient, but they are also dangerous. Modes of attacks include the following:. Exhaustive attacks. Attempting password attacks by random trial and error was at one time occasionally SUEC~SS ful, but is now unlikely to succeed becnuse of limits on the number of incorrect tries and auditing of failed attempts. l F.dwated guessing of passwords. At least until recently, users frequently chose as passwords dictionary words, proper names, or other character strings having a logical association with the individual (such as initials, spouse's name, dog's name, or social security number). System pass words sometimes remain unchanged from the original defaulu. Maintenance passwords are often common across different systems. Such passwords have been guessed SW prisingly often. l Deriving passwords. If words or names are chose,, as pawwords, then-even if the passwords are stored in an encrypted form-they can be discovered by preencryptive dictionary attacks [2], assuming the encrypted password file can be read. Such attacks are particularly insidious, because they can be carried out surreptitiously on systems other than the ones being attacked. Algorithmically generated passwords may also be prone to attack. For example, knowing one password in a pseudorandom sequence can be used to determine the subsequent ones. l Capturing unencrypted passwords. Passwords exist in an onencrypted form as they are being typed, stored in memory , or in transit across a local or global network. They can be captured by exploiting system security flaws (or features) and by network snooping. Trojan horsing with network software (such as flp and lelner) on various host sys terns has recently enabled the capture of passwords for accounts on other systems, and the newly captured pass words have then been used to implant Trojan horses on those other systems. Someone's ability to capture passwords that you may use to access other systems fro,,, your own host system may in turn compromise users on those other systems. l Creating bogus p-olds and mapdoors. Trojan horses may subvert user authentication-for example, by inserting a trapdoor into a security-critical program. The classical example is the C-compiler Trojan horse described by Ken Thompson [3] that could implant a trapdoor in the login routine. Also, if a password file is not properly pre tected against writing, a clever perpetrator may be able to edit the password tile and insert a bogus but viable self-chosen user identifier and password (encrypted as needed), or to install a variant password file. …
[1] Ken Thompson,et al. Reflections on trusting trust , 1984, CACM.
[2] K. Thompson. Reflections on trusting trust , 1984, CACM.
[3] John McHugh,et al. Coding for a Believable Specification to Implementation Mapping , 1987, 1987 IEEE Symposium on Security and Privacy.
[4] Ken Thompson,et al. Password security: a case history , 1979, CACM.