Most online user services today provide measures for securing access to data, applications and system itself by granting permissions and user rights based on the user account that is logged onto the service or network. In most cases, the key security mechanism is a password – a combination of characters that the user enters along with his/her account name to verify to the service that the associated account really belongs to the person who is using it to access it.
Password Vulnerabilities
Because the password is something you know, that knowledge can be gained in different ways. Unlike with a key to a lock, which is a physical object, an intruder doesn't have to take the password away from its owner in order to have it himself. Instead, he can get it in one of several ways (without the owner ever knowing). For example:
Exploitation of weak passwords: Left to their own devices, users often choose "easy" passwords easy to remember. This includes using a word, phrase or number that has special meaning to them, such as spouse's name, birthday or social security number. An intruder who knows something about the user may be able to guess the password. Use of any word that is in the dictionary creates vulnerability, because "brute force" methods (trying one password after another until you hit the right one) and "dictionary" attacks can crack them.
Exploitation of user behavior: If the password is more complex and non-intuitive (a random combination of letters and numbers), the user may have trouble remembering it, and this may lead to writing it down – often keeping it in a prominent place such as the top desk drawer or even on a sticky note stuck to the monitor. Hackers can often use "social engineering" to persuade users to divulge their passwords by posing as tech support or administrative staff.
Capture of credentials in transit: Even when strong passwords are used and users keep the passwords to themselves, savvy intruders may be able to capture the credentials when they are sent across the network if sufficient security measures aren't in place to prevent this.
No comments:
Post a Comment