Web Based Password Cracking

A Large Scale Study of Web Password Habits

Web Based Password Cracking Internet Security Whitepapers

Passwords play a large part of the typical web user's experience. The are the near universal means for gaining access to accounts of all kinds. Email, banks, portals, dating and social networking sites all require passwords. So important are they that HTML has a special form field to allow for the special treatment they require, and an important role of SSL is protecting the secrecy of passwords from observers of the connection. Alternative to passwords certainly exist. Hardware authentication, e.g. [1], is sometimes used for access to corporate networks. However, this requires an issuing authority and seems to be limited to environments that justify the cost, such as in the employer-employee relationship. Challenge response authentication has the advantage that observing a single successful sign in does not allow an attacker to gain the secret.

A Simple Procedure for Finding Guessing Attacks

Web Based Password Cracking Internet Security Whitepapers

Security protocols that use weak passwords (e.g. human chosen) can be subject to guessing attacks [GLMS93]. Guessing attacks exist in two flavours: online and offline. In online guessing attacks the intruder is allowed to generate fake messages and to supply them to the honest agents, for instance for checking whether a certain guess is correct. In offline guessing attacks, on the other hand, the intruder first gathers some knowledge K from the protocol execution, and then proceeds offline to perform a password search.

Authentication and Session Management on the Web

Web Based Password Cracking Internet Security Whitepapers

This paper looks at the security concerns specific to websites that have a secure area where users can login. For much of the paper we use the example of Acme Enterprises, a fictitious company that sells generic goods by mail order. The company already has a basic website that provides a catalogue of its products. It is now looking to expand this to include an area where customers can manage their accounts. The security challenge is to keep the account information confidential, to prevent unauthorized modification and to ensure the account management system is always available for use. This is the fundamental triangle of information security – confidentiality, integrity and availability.

Biometric Authentication Systems

Web Based Password Cracking Internet Security Whitepapers Physical Security System Hacking

This paper presents our conclusions from a year-long study of biometric authentication techniques and actual deployment potential, together with an independent testing of various biometric authentication products and technologies. We believe that our experience can help the reader in considering whether and what kind of biometric authentication should or should not be used in a given system. Biometric technology has not been studied solely to authenticate humans. A biometric system for race horses is being investigated in Japan and a company that imports pedigree dogs into South Africa uses a biometric technique to verify the dogs being imported.

Dos and Don'ts of Client Authentication on the Web

Web Based Password Cracking Internet Security Whitepapers

Client authentication is a common requirement for modern Web sites as more and more personalized and access-controlled services move online. Unfortunately, many sites use authentication schemes that are extremely weak and vulnerable to attack. These problems are most often due to careless use of authenticators stored on the client. We observed this in an informal survey of authentication mechanisms used by various popular Web sites. Of the twenty-seven sites we investigated, we weakened the client authentication of two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.

Stronger Password Authentication Using Browser Extensions

Web Based Password Cracking Internet Security Whitepapers

In this paper, we describe the design, user interface, and implementation of a browser extension, PwdHash, that strengthens web password authentication. We believe that by providing customized passwords, preferably over SSL, we can reduce the threat of password attacks with no server changes and little or no change to the user experience. Since the users who fall victim to many common attacks are technically unsophisticated, our techniques are designed to transparently provide novice users with the benefits of password practices that are otherwise only feasible for security experts. We have experimented with Internet Explorer and Mozilla Firefox implementations and report the result of initial user studies.