Digitisation of businesses has slowly but surely pushed most of the work flow processes towards automation, especially computers. In fact, even as I write there are organizations who are contemplating to migrate to cloud and other platforms. The reason is because of enhanced security – both internal and external. One of the nightmares which any network administrator dreads to think about is user account compromise, typically when a password is hacked and then exploited for data thievery. User login and authentication theft is one of the largest if not the only network security issues that plaques the IT milieu.
Worldwide, users create login details, especially passwords which are not too difficult and also easy to remember. In spite of repetitive warnings and awareness programs conducted by IT administrator, most of the employees tend to incorporate their personal details such as date of birth, pin code or vehicle numbers while generating password for accessing sensitive resources such as database, email and web ( intranet and internet ).
Does this seem like a recipe for disaster? Yes, of course. Industries such as finance and banking, stock trading, telecommunications and large organizations are password dependent for several day to day activities, and any weaknesses here could lead to catastrophe.
So, how are passwords cracked and how does one improve the IT security system? Mentioned below are some of the ways a password can be cracked and its remedies.
As the name suggests, brute force literally means logging into an account with the sole aim of harming / exploiting resources once access is achieved. This entity uses a combination of numbers and characters to get through. Although this method may not result in high success rate due to built-in safety systems such as Captcha and a cap on unsuccessful logins attempts, it still possess a huge threat as some of the shenanigans use software / tools for narrowing down the user details.
The only remedy against brute force is to set up complex user login parameters. Administrator should make sure that employees actually follow this practice religiously.
2. URL Interception
Password sent across an URL ( through forms ) can be technically intercepted with simple knowledge of scripting language/s and internet protocols. Due to its inherent client / server design, web applications boast a host of vulnerable elements such as search textbox, forms, user login page and of course filters ( generally used in Ecommerce web portals ). These are prone to attacks. How? For example, SQL injection is a popular way of manipulating database and login algorithms via hand coded SQL queries. A successful injection could lead to data sabotage or misuse. Order processing forms are yet another resource which many hackers exploit disdainfully.
Developers must follow semantic coding practices. For example, limiting the use of HTML tags and scripting syntax in forms / textboxes can reduce SQL injection whereas submission of forms can be made safe using secure transfer protocols.
Many wannabe password seekers use this method to access private and confidential data. Guesswork simply means that this entity or a group of tech savvy individuals’ first dig out some of the vital information about the company, its system administrator and also the hosting details. These entities then manipulate several combinations, mostly names and numbers belonging to the concerned organisation. Guesswork tools when offered a range of “Possible” options can narrow down the password. Some of the tools also offer a pattern across the entire network.
Administrators should avoid personal names, data of births and those belonging to the owners.
4. Key logging
Key logging is available as a tool and the same can also be pushed into the network via Trojan. Once activated it sniffs, captures and then builds the list of keystrokes. Password crackers and data thieves then access the resultant text file and exploit it for various malicious activities.
Running a robust antivirus and activity tracker tool can warn administrators of their presence which for all purposes operate in deceptive mode. Key logging infections were rampant earlier, however today its charm is lost due to user awareness and the complexity of web / desktop applications.
Phishing, peeping over shoulder or eavesdropping are some of the other ways passwords and/or login details are compromised. I firmly believe that conducting regular awareness programs within the organization, installing latest monitoring tools and using multi-factor authentication methods can improve network security environment to a large extent. I also believe that passwords are here to stay for a long time in spite of biometric, facial and fingerprinting security systems.