Passwords:
- Description: Passwords are the most common form of Type 1 authentication. They are cheap, easy to implement, and familiar to users.
- Password Generators: Tools that create complex passwords automatically.
- User-Generated Passwords: Users can create their own passwords, but these are subject to triviality checks and policy enforcement to prevent weak passwords.
Password Effectiveness:
- Longer Passwords: The effectiveness of a password increases exponentially with its length. A longer password is more resistant to brute force attacks.
- Complexity: A password that includes upper and lower case letters, numbers, and special characters increases its complexity significantly. Adding just one character to a password can increase its complexity by 62 times.
Password Storage:
- Best Practice: In secure environments, passwords should never be stored in plaintext. Instead, salted hashes of passwords are stored. This involves adding a random value (salt) to the password before hashing it, making it more resistant to rainbow table attacks.
Types of Passwords:
- One-Time Password (Dynamic Password): Used only once, providing enhanced security. Common in two-factor authentication (2FA) systems.
- Static Password: The same password is used for each logon, which is less secure.
- Passphrase: A longer sequence of words or characters, easier to remember but more secure than simple passwords. The system converts the passphrase into a virtual password.
- Cognitive Password: A password based on personal information that is easy to remember, such as your mother’s maiden name.
Password Attacks:
- Brute Force Attack: The attacker tries every possible combination of characters until the correct password is found. This method is exhaustive and time-consuming.
- Dictionary Attack: The attacker uses a list of commonly used passwords or words from a dictionary to guess the password.
- Social Engineering: The attacker manipulates individuals into revealing their passwords or other confidential information.
- Rainbow Tables: These are precomputed tables containing pairs of plaintext passwords and their corresponding hash values, used to crack password hashes quickly.
Implementation Attack:
- Description: Targets weaknesses in the implementation of cryptographic systems, such as flaws in software code or the methodology used for encryption.
Statistical Attack:
- Description: Exploits statistical weaknesses in a cryptosystem, such as issues with random number generation or floating-point errors. These attacks aim to find vulnerabilities in the hardware or operating system hosting the cryptographic application.
Password Management Tools:
- Password Checker: A tool that verifies whether a password meets security policies and complexity requirements.
- Password Hacker: A malicious tool used by attackers to crack passwords.
Hashing and Encryption:
- SYSKEY: A utility in Windows systems that encrypts hashed passwords in the Local Security Authority (LSA) database, enhancing password security.
- LM Hash and NT Hash: These are the hash formats used by Windows to store password hashes. LM Hash is less secure and more prone to attacks.
- SALT/Seed/Nonce: Random values added to the password before hashing to increase its complexity and resistance to attacks.
- HAVAL: A modification of MD5 that produces hash values of variable lengths (128, 160, 192, 224, 256 bits). It is used for creating hash values but is not an encryption algorithm.