Risks with passwords


Published on

Password based authentication is no longer sufficient for the security needs of any enterprise. So there is a growing trend among many enterprises globally to move to a stronger authentication solution which provides high level of security with-out compromising the user’s convenience.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risks with passwords

  1. 1. Risks associated with Password based Whitepaper authentication Password-based authentication is one of the most popular approaches to authenticate a user in various enterprise applications. But there are many problems associated with the password based authentication systems and the risks associated with using passwords as an authentication mechanism for enterprise applications is not completely secure.PASSWORD PROBLEM Considering all the risks associated with password based authentication systems, there is a strong need for enterprises to switch to a strongerThe problem that, secure authentication system which provides security against the various hackingpasswords are difficult to attacks and also which is more convenient and easier to the end user of theremember and easy-to- systemremember passwords areeasy to break in most cases, Challenges with Password based Authentication:is referred to as the 1. Easy passwords can be crackedPassword Problem. The end user’s behaviour such as choosing passwords that are easy to remember introduces the majority of the password weaknesses. For a hacker,IDEAL PASSWORD these passwords can easily be cracked or guessed. Surveys show that frequent passwords are the word ‘password’, personal names of family members,Today from security names of pets, and dictionary words.standpoint, the idealpassword is a string of eightor more random characters, 2. Random passwords can’t be rememberedwhich includes digits, letters A random password should not have a content, context, and should not bewith a mixture of upper and familiar. It can only be learned by using it over and over again. However, sincelower case, and special repetition is a weak way of remembering, users often completely ignore thecharacters, is not a recommendations for pseudo-random passwords.dictionary word and is notrelated to personalinformation, such as social 3. Remembering Multiple Passwordssecurity number, street Moreover, today’s users have to remember more than one password foraddress, or birth date. computers, mail accounts, social media applications, online banking, and much more. A survey of IT professionals found out that the average IT professional has to remember approximately five to six passwords and almost 25% of the IT professional has to manage eight or more passwords. The more passwords a person has to remember, the chances for remembering any specific password decreases. Having multiple passwords also increases the chance of interference among similar passwords. This is especially true for systems that are not used frequently.
  2. 2. Risks associated with Password based authentication - Whitepaper4. Problems with passwords that needs to be continuously changedComputer systems require frequent password changes, to make the systemrobust from various attacks. Common techniques require that passwords arechanged every 30 or 90 days. However, the more frequently a password has tobe changed, the harder it will be to remember. Users must think of newpasswords that conform to all of the organization’s requirements but that arealso easy to remember. System-enforced password policies, however, cannotguarantee password secrecy.5. Security vs. Ease-of-Use for PasswordsTo “solve” the Password Problem, users will try to decrease the memoryburden at the expense of security. Most commonly, the user will write downpasswords, raising the potential of compromise of the passwords. In the caseof multiple systems, users may choose only one password for all systems. Thisreduces security and if the password is broken for one computer system, everysingle computer system is compromised. Alternatively, users create their ownrules to generate multiple passwords that have something in common, forexample adding a digit to a base word for each new password, which is also anunsafe method. Weak passwords can be broken by dictionary attacks orattacks based on knowledge about the password owner. Because of password-cracker programs, users need to create unpredictable passwords, which aremore difficult to memorize.6. Shoulder Surfing AttackShoulder surfing is looking over someone’s shoulder when they enter apassword or a PIN code. It is an effective way to get information in crowdedplaces because it is relatively easy to stand next to someone and watch as theyfill out a form, enter a PIN number at an ATM machine, or use a calling card ata public pay phone. Shoulder surfing can also be done at a distance with theaid of binoculars or other vision-enhancing devices to know the password.Shoulder surfing can be done easily on the password system, just by seeing thekeys that the user types. Page 2
  3. 3. Risks associated with Password based authentication - Whitepaper7. Keyloggers  Keyloggers are the best example of a spyware, which are installed on the victim machines without user’s knowledge and monitors all the keystrokes. Keyloggers can be in one of two different forms - Hardware device, Small program (spyware).  As a hardware device, a Keylogger is a small battery-sized plug that serves as a connector between the users computer and keyboard. As the device resembles an ordinary keyboard plug, it is relatively easy to physically hide such a device "in plain sight." As the user types, the device collects and saves the keystrokes as text in its own memory. At a later point of time, the person who installed the Keylogger must return and physically remove the device in order to access the information the device has gathered.  On the other hand a Keylogger program does not require physical access to the users computer. It can be downloaded deliberately by someone who wants to monitor activity on a particular computer or it can be downloaded accidentally as spyware and executed as part of a remote administration (RAT) Trojan horse.  The Keylogger program records each keystroke the user types and uploads the information over the Internet periodically to the one installed the program. Once the hacker gets the information from Keylogger, the hacker can mimic the actual user and there is no way the authentication server can distinguish the real user and the hacker.Conclusion:Considering all the above factors, password based authentication is no longersufficient for the security needs of any enterprise. So there is a growing trendamong many enterprises globally to move to a stronger authentication solutionwhich provides high level of security with-out compromising the user’sconvenience. ArrayShield IDAS Two Factor authentication protectsOrganizations from Identity and data theft, hence provides peace of mind. Page 3
  4. 4. Risks associated with Password based authentication - Whitepaper ABOUT ARRAYSHIELDArray Shield Technologies is the maker of software security products in thearea of Multi-Factor Authentication. The company’s mission is to provide highlysecure, cost effective and easy to use software security solutions globally.For more information, visit us at www.arrayshield.com Page 4