d

Password Security: The Complete Documentation

• This category contains 11 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Acoustic cryptanalysis - On nosy people and noisy machines

Published on 2005, by Adi Shamir and Eran Tromer, ©Adi Shamir and Eran Tromer.

One of the methods for extracting information from supposedly secure systems is side-channel attacks: cryptanalytic techniques that rely on information unintentionally leaked by computing devices. Most side-channel attack research has focused on electromagnetic emanations (TEMPEST), power consumption and, recently, diffuse visible light from CRT displays. The oldest eavesdropping channel, namely acoustic emanations, has received little attention. Our preliminary analysis of acoustic emanations from personal computers shows them to be a surprisingly rich source of information on CPU activity.

Choosing and Protecting Passwords

Published on 2004-02-12, by Mindi McDowell, Jason Rafail, Shawn Hernan, ©Carnegie Mellon University.

Passwords are a common form of authentication and are often the only barrier between a user and your personal information. There are several programs attackers can use to help guess or "crack" passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

How to Reset forgotten Root passwords

Published on 2004, by Suramya Tomar, ©Suramya Tomar.

Suppose you have just taken over as a new system administrator from another person just before they left and they forgot to give you the root password. Now, let's say you have to install the latest version of PHP on the system so that the sales department's website works the way its supposed to. You have to get the website up yesterday, since you are losing money every minute it doesn't work. Or maybe you simply need to add another user to the system.

Keyboard Acoustic Emanations Revisited

Published on 2005, by Li Zhuang, Feng Zhou, J. D. Tygar, ©Li Zhuang, Feng Zhou, J. D. Tygar.

We examine the problem of keyboard acoustic emanations. We present a novel attack taking as input a 10-minute sound recording of a user typing English text using a keyboard, and then recovering up to 96% of typed characters. There is no need for a labeled training recording. Moreover the recognizer bootstrapped this way can even recognize random text such as passwords: In our experiments, 90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10- character passwords can be generated in fewer than 75 attempts. Our attack uses the statistical constraints of the underlying content, English language, to reconstruct text from sound recordings without any labeled training data. The attack uses a combination of standard machine learning and speech recognition techniques, including cepstrum features, Hidden Markov Models, linear classification, and feedback-based incremental learning.

NT Local Administrator and Shared Passwords (The)

Published on April 02, 2001, by Daniel Marvin, ©SecurityFocus.

There is a Local Administrator account on every NT machine currently deployed. This account can be renamed, but not removed. It is extremely common to find many NT machines in an enterprise sharing the same password for this Local Administrator account. This article will establish that this shared password constitutes a security vulnerability, discuss various steps to mitigate the risk arising from the shared password, and make a case for applying unique passwords to every Local Administrator account in your enterprise.

Password Crackers - Ensuring the Security of Your Password

Published on February 19, 2001, by A. Cliff, ©SecurityFocus.

Strong, secure passwords are a cornerstone of an effective security strategy. Passwords ensure that only authorized personnel will be able to gain access to a system or network. Unfortunately this is not always the case. Passwords are usually invented and implemented by the individuals who are utilizing the computer or the network. The words, symbols, dates that make up the password usually have some personal meaning to the user so that the he or she can easily remember it. Herein lies the problem. Many users will place priority on convenience over security. As a result, they choose passwords that are relatively simple. While this helps them to recall the password when it comes time to logon - it also makes the password much easier for hackers to crack. Potential hackers will probe your network looking for the weak link that will give them entry. The most notorious and the easiest to exploit is a weak password. The first line of security defence thus becomes one of the weakest.

Passwords - Common Attacks and Possible Solutions

Published on 2004-11-15, by Dancho Danchev, ©Help Net Security.

Making sure authorized users have access to either sensitive company information or their personal e-mail can be a daunting task, given the fact that an average user has to remember at least 4/5 passwords, a couple of which have to be changed on a monthly basis. The majority of users are frustrated when choosing or remembering a password, and are highly unaware of the consequences of their actions while handling accounting data.

Passwords you'll never forget, but can't recall

Published on 2004, by Daphna Weinshall and Scott Kirkpatrick, .

We identify a wide range of human memory phenomena as potential certificates of identity. These "imprinting" behaviors are characterized by vast capacity for complex experiences, which can be recognized without apparent effort and yet cannot be transferred to others. They are suitable for use in near zero-knowledge protocols, which minimize the amount of secret information exposed to prying eyes while identifying an individual. We sketch several examples of such phenomena, and apply them in secure certification protocols. This provides a novel approach to human-computer interfaces, and raises new questions in several classic areas of psychology.

Simplest Security: A Guide To Better Password Practices (The)

Published on January 10, 2002, by Sarah Granger, ©SecurityFocus.

Let's be honest, passwords are annoying. These days, we need a password or PIN everywhere. We have so many that we can't keep track of them all. We forget to update them; and when we do, it's difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative – the painful, irritating password creation and memorization process – is sometimes more than we can tolerate. There is hope! Passwords don't have to be complex cryptograms. A few simple methods can help make living with passwords a little easier.

Ten Windows Password Myths

Published on January 10, 2002, by Mark Burnett, ©SecurityFocus.

With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security. The difficulty with passwords is that all too often they are the easiest security mechanism to defeat. Although we can use technology and policy to make passwords stronger, we are still fighting the weakest point in any system: the human element.

UNIX Password Security

Published on December 06, 1993, by Walter Belgers, ©The JNT Association.

This document was written to make system administrators aware of the importance of well-chosen passwords. Easy-to-guess passwords offer hackers the possibility to enter a system. More and more computers are being connected to the world-wide Internet (the latest estimations speak of about 1.5 billion systems). This means there will be more and more users, and therefore more and more hackers. By means of good password-security, one can protect a system from newbie hackers.