Paper Authors

Abstract

NOTE: The first page of text has been automatically extracted and included below in lieu of an abstract

Password Auditing Tools

Abstract

A goal of computer system security is to prevent an attack, and authentication mechanisms can prevent a compromise on parts of a system. Most if not all forms of access are granted based on a single authentication scheme, and passwords are currently the most widely used authentication mechanism. Weak passwords have been cited by experts from industry, government, and academia as one of the most critical security threats to computer networks. However, various applications are available today which allow system administrators to assess the strength of their passwords in order to take the necessary precautions. The purpose of this report is to conduct a study of how well some of the more popular password auditing applications perform for Windows and UNIX operating systems.

Introduction

The three basic components of computer security are confidentiality, integrity, and availability. To ensure the integrity of a system, prevention and detection mechanisms are used to handle improper or unauthorized change. Prevention mechanisms specifically seek to maintain integrity by blocking any unauthorized attempts to access or change the data in a system 1. Authentication, also known as origin integrity, is the binding of an identity to a subject. Thus, an authentication mechanism is used to prevent a compromise on some parts of a system. Currently most forms of access are granted based on a single authentication scheme, and passwords are the most widely used authentication mechanism 1.

Password auditing is a method of ensuring that user passwords are strong, thus strengthening the authentication mechanism used by the organization. Only the system administrator implements password auditing. This method tests the strength of user passwords by executing similar attack techniques to what a hacker might use to compromise the system. Password auditing is an important method to use for securing a system. The auditing process can help organizations to protect against password attacks that could compromise their systems. There are many attacks that could potentially be used by hackers. These attacks include dictionary attacks, hybrid attacks, pre-computed attacks, brute force attacks, mask attacks, and distributed network attacks.

A dictionary attack uses a pre-defined dictionary file to compare against the passwords. Before the passwords in the file can be used for comparison, they must first go through the same hashing method used by the system on which the passwords are stored. Another type of attack is a hybrid attack. This attack checks for dictionary words that have significant letters replaced by special characters (i.e. $unshine). A pre-computed attack is similar to a dictionary attack but slightly more efficient because it uses a dictionary list that has already been hashed so it can do a straight comparison against each password. A brute-force attack tries every combination of letters, numbers, and special characters specified for the software. A mask attack uses a pre- defined mask that is known to be part of the password. Then, it uses a dictionary attack to compare against the remaining characters in the password. This method is more efficient than a dictionary attack, but more knowledge is needed to stage the attack. This method is more

1

• Citation

• Format
  • APA
  • APA - LaTeX bibitem
  • MLA
  • MLA - LaTeX bibitem
  • Bibtex
  • EndNote - RIS

Garcia, M. (2006, June), Password Auditing Tools Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--192