When connecting to a computer system, you usually have to enter a
log in or username and a password to access it. This login/password pair thus forms the key for obtaining access to the system.
While the login is in general automatically attributed by the system or its administrator, the user is often free to choose the password. Most users, believing they don't have anything truly secret to protect, use a password that is easy to remember (for example, their login, their spouse's name or their date of birth).
And yet, while data on the user's account may not be strategic in nature, access to the user's account may represent an open door to the entire system. As soon as a hacker obtains access to a machine's account, he can expand his scope of action by obtaining the list of users authorized to connect to the machine. Using password generating tools, the hacker can try out a large number of randomly generated passwords or may use a dictionary (or possibly combine the two). If he happens upon the administrator's password, he obtains full permissions on the machine!
Furthermore, the hacker may potentially obtain access to the local network from a network machine, which means he can draw up a map of the other servers working with the one he has access to.
User passwords therefore represent the first line of defense against system attacks, which is why it is necessary to define a password policy to require that users choose sufficiently secure passwords.
Most systems are configured so as to temporarily block a user's account after a certain number of unsuccessful connection attempts have been made. As a result, it is difficult for a hacker to infiltrate a system in this way.
However, a hacker can use this auto-defense mechanism to block all user accounts in order to trigger a denial of service.
On most systems, passwords are stored encrypted in a file or a database.
Yet when a hacker obtains access to the system and obtains this file, he can attempt to crack a particular user's password or the passwords for all user accounts.
Brute force cracking
The term "brute force cracking" is used to refer to the cracking of a password by testing all possible passwords. A variety of tools are available for all operating systems that make it possible to carry out this sort of operation. These tools are used by system administrators to test the solidity of their users' passwords but they are sometimes hijacked by hackers to infiltrate computer systems.
Brute force cracking tools may require hours, or even days, of calculation even with machines equipped with powerful processors. An alternative to this solution is to carry out a "dictionary attack". In reality, users usually choose passwords that mean something. With this type of attack, such a password can be cracked in just a few minutes.
The last attack of this type, called a "hybrid attack", specifically targets passwords made of a traditional word followed by a letter or a number (such as "marshal6"). It combines brute force cracking with the dictionary attack.
There are also methods that make it possible for a hacker to obtain user passwords:
- Keyloggers are software programs that, when installed on the user's workstation, make it possible to log keystrokes made by the user. Recent operating systems feature protected buffers that make it possible to temporarily retain the password and are accessible only by the system.
- Social engineering involves exploiting people's naivety to obtain information. A hacker can thus obtain an individual's password by impersonating a network administrator or, conversely, can call the support team asking it to reinitialize the password, using an emergency situation as a pretext;
- Spying is the oldest method used. In this case a pirate simply has to observe the papers around the user's screen or under his keyboard to obtain the password. Also, if the pirate is someone in the victim's circle, he can just glance over that person's shoulder when the password is being entered to see it or guess it.
Choosing a password
It is clear that the longer a password is, the harder it is to crack. Moreover, a password made solely of numbers will be much easier to crack than a password that contains letters:
A password with 4 numbers corresponds to 10,000 possibilities (104). While this figure may seem high, a computer equipped with a modest configuration is capable of cracking it in just a few minutes.
It is better to use a password with 4 letters, for which there are 456,972 possibilities (264). Following the same logic, a password that combines numbers and letters, or one that also uses uppercase letters and special characters, will be even harder to crack.
Passwords to avoid:
- your login
- your last name
- your first name or that of a loved one (spouse, child, etc.);
- a word from the dictionary;
- a word written backwards (password cracking tools account for this possibility);
- a word followed by a number, the current year or a year of birth (for example "password1999").
Gaining access to the account of just one of a company's employees can compromise the global security of the entire organization. As such, all companies wishing to guarantee an optimum security level should set up a real password security policy. This particularly means requiring that employees choose passwords that follow certain requirements, for example:
- A minimum password length
- The presence of special characters
- A change of case (lowercase and uppercase letters)
Moreover, it is possible to strengthen this security policy by imposing an expiration period for passwords, in order to make users regularly modify their passwords. This complicates the work of hackers attempting to crack passwords over time. In addition, it is an excellent way to limit the lifespan of cracked passwords.
Finally, system administrators are advised to use password cracking software internally on their users' passwords to test their solidity. This should however be done in the framework of the security policy and be written in black and white, to gain the approval of the management and users.
It is not healthy to have just one password, just like it wouldn't be healthy to use the same code for your bank card that you use for your mobile phone and to enter your building.
You are therefore advised to have several passwords for each category of use, depending on the confidentiality of the secret it protects. Your bank card code should therefore be used only for that purpose. However, you can use the same PIN code on your mobile phone that you use for a suitcase padlock.
Likewise, when signing up for an online service that requires an e-mail address (for example, the kioskea's newsletter), you are strongly advised not to choose the same password you use for this messaging address since an unscrupulous administrator could easily have access to your private life!