Edit history

changed:
-
<p> While most IT people and almost all IT security people understand the weaknesses of passwords and by proxy the benefits of two factor authentication, there really isn't a central location of password weaknesses and problems readily available on the Internet.  Further, it is abundantly clear that most Internet users have no idea about why they should care about strong authentication, tolerate it or perhaps even demend it from their company or the online services they use. </p>
<p>
So in the spirit of the Internet, we thought we would post some common password weaknesses in a Wiki format and let others add to the conversation.  If spam becomes a problem, we'll have to adjust - perhaps by requiring a strong authentication log in ;).
<h1>Password attacks:</h1>
<h3>Phishing</h3>
<p>Phishing is a combination of spam and a "man in the middle" (MITM) attack.  The attacker spams the world with fake e-mails that appear to be from legitimate financial institutions or other online entities (Ebay and PayPal are popular) , but the links actually go to a fake web site.  When the users enters their credentials into the fake website, the attacker turns around and enters the credentials into the real web site (thus, the man in the middle) and commits some fraud.</p>.
<p>Obviously, just doing two-factor doesn't stop phishing because the phishers could write a program to automatically enter the one-time passcode into the real website.  At WiKID, we could have our software token automatically launch the browser to the correct SSL-certified web site, which would eliminate the problem (as long as users recognized that it was the safe way to get there).
</p>
	<h3>Trojans and keystroke loggers</h3>
	<p>Trojans are programs that are usually delivered via viruses that monitor activity on a computer and send useful information back to their creator.  The useful information could include usernames and passwords.  Keystroke loggers are exactly that: they log key strokes and send them home.  They may be planted by a trojan.  If you have ever used a public PC such as a web kiosk, chances are it had a key stroke logger on it.  Here is a list of <a href="passewords/trojans">recent password stealing trojans</a>.
	</p>
<h3>Using same password at more than one place</h3>
<p>Did you know that it is wrong to use the same password in more than one place?  Can you imagine getting by on the internet without reusing passwords?  The problem is that any one of those sites might be compromised and could lead an attacker to your information.  It would be easy to write an application that tests a username and password at multiple  online banking sites.  
</p>
<p>It may be possible for strong authentcation to solve this problem, but it will take strong authentication based on public key cryptography, such as WiKID and note the shared-secret tokens popular today (such as RSA's SecurID or CryptoCard).  As you can guess, it is very hard to share a secret with a lot of different people and have it kept secret.
</p>
	<h3>Brute-force attacks</h3>
	<p>Brute-force attacks or dictionary attacks try to guess your password.  The key here is automation.  With the proper cracking software, a desktop PC can break a significant portion of a Windows password file in minutes and 95% of it in a day.  Brute-force attacks are typically offline as they would get noticed if performed inline.  However, there are ways to get credential and then try to break them offline.  They are called network sniffers.
	</p>
	
<h3>Network sniffers</h3>
<p>Network sniffers grab network packets off the network and analyze them.  Historically, this meant getting to an open port on your network.  But now it could be any where on the Internet.  SSL encryption can protect your traffic, but have you ever logged into a non-SSL web site with the same password that you use for your SSL-encrypted web site?  Do you know how to tell if you're using SSL-Encryption?  
</p>
<p>Have you ever used a WiFi connection.  What used to be hard - putting a sniffer onto a physical network - is absolutely easy on a WiFi network. Almost all of the attacks against WiFi have been authentication attacks. Moreover, if you're using a PPTP VPN client - of anything based on MS-ChapV2 - your encrypted credentials can be brute-force attacks offline.  
	<h3>Passwords are written down</h3>
	<p>If someone in your company writes down their password and sticks it on their monitor or even under their keyboard, they are inviting attack.  Hackers have posed as cleaning crews or building maintenance to get credentials to use later.  If you think that it would only affect those people who have written down their passwords, think again.  The hacker wants to get on to the network to get something valuable.  That may well be your social security number and identity information from the HR database.
	</p>
	<h3>Shoulder surfing</h3>
	<p>Pretty self-explanatory.  If you're using two-factor authentication, shoulder surfing does no good.  You have to have knowlegde of the PIN and possession of the secret. 
	</p>
	<h3>Password Reset Attacks</h3>
		<p>Online services have flourished over the last 10 years.  They are a great way to centrally store information so that it can be accessed anywhere.  These are scale businesses typically, with millions of customers.  Instead of trying to support all the password reset cals (that cost a fortune), these services have automated password reset systems that ask you a question and then e-mail your password back to you or worse, allow you to reset them.  T-Mobile customers can reset their online passwords just with their cell phone number and pet's name.  It is generally assumed that this is how Paris Hilton's Sidekick address book and photos ended up all over the Internet.
	</p>
<hr />
<p>Certainly there are other attacks on reusable, static passwords. Are you ready to e-mail your bank and demand two-factor authentication?
</p>