June 18, 2006
June 18, 2006
June 21, 2006
11.985.1 - 11.985.9
Password Auditing Tools
A goal of computer system security is to prevent an attack, and authentication mechanisms can prevent a compromise on parts of a system. Most if not all forms of access are granted based on a single authentication scheme, and passwords are currently the most widely used authentication mechanism. Weak passwords have been cited by experts from industry, government, and academia as one of the most critical security threats to computer networks. However, various applications are available today which allow system administrators to assess the strength of their passwords in order to take the necessary precautions. The purpose of this report is to conduct a study of how well some of the more popular password auditing applications perform for Windows and UNIX operating systems.
The three basic components of computer security are confidentiality, integrity, and availability. To ensure the integrity of a system, prevention and detection mechanisms are used to handle improper or unauthorized change. Prevention mechanisms specifically seek to maintain integrity by blocking any unauthorized attempts to access or change the data in a system 1. Authentication, also known as origin integrity, is the binding of an identity to a subject. Thus, an authentication mechanism is used to prevent a compromise on some parts of a system. Currently most forms of access are granted based on a single authentication scheme, and passwords are the most widely used authentication mechanism 1.
Password auditing is a method of ensuring that user passwords are strong, thus strengthening the authentication mechanism used by the organization. Only the system administrator implements password auditing. This method tests the strength of user passwords by executing similar attack techniques to what a hacker might use to compromise the system. Password auditing is an important method to use for securing a system. The auditing process can help organizations to protect against password attacks that could compromise their systems. There are many attacks that could potentially be used by hackers. These attacks include dictionary attacks, hybrid attacks, pre-computed attacks, brute force attacks, mask attacks, and distributed network attacks.
A dictionary attack uses a pre-defined dictionary file to compare against the passwords. Before the passwords in the file can be used for comparison, they must first go through the same hashing method used by the system on which the passwords are stored. Another type of attack is a hybrid attack. This attack checks for dictionary words that have significant letters replaced by special characters (i.e. $unshine). A pre-computed attack is similar to a dictionary attack but slightly more efficient because it uses a dictionary list that has already been hashed so it can do a straight comparison against each password. A brute-force attack tries every combination of letters, numbers, and special characters specified for the software. A mask attack uses a pre- defined mask that is known to be part of the password. Then, it uses a dictionary attack to compare against the remaining characters in the password. This method is more efficient than a dictionary attack, but more knowledge is needed to stage the attack. This method is more
Garcia, M. (2006, June), Password Auditing Tools Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--192
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2006 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015