Password-based systems, Validation based on something what the user knows about their identity are generally more common and necessary to access the available resources in World
Wide Web through networks and the internet (Vaithyasubramanian & Christy, 2015).
Cracking user passwords online is one of the essential skills in hacking and penetration testing with the aim is to illegitimately access the system through an authenticated user. Since website authentication commonly requires username and password in which the username can be the email address, it is imperative for the perpetrator to acquire the username before dealing with the password. When the username is …show more content…
The next chapter explains the methods used for this type of attack from the literatures then it is followed by elaboration of the countermeasures. A detailed discussion on the tools and techniques needed to aid the forensic investigation.
A. User Passwords
One factor that contributes to the effectiveness of the online password cracking attack is the easily-guessed passwords of the users. Voyiatzis, Fidas, Serpanos, Avouris, et al. (2011)ONLINE PASSWORD CRACKING
6
provide an analysis on 19,000 actual passwords from different datasets. They come up with factors that generally describe that characteristics of the passwords such as the average length of less than 7 characters and mostly alphanumeric characters are used.
Das, Bonneau, Caesar, Borisov, and Wang (2014) point out the issue of reusing password across multiple websites which can be of leverage to the perpetrators in password guessing. A survey is conducted which denotes that 43-51% of users use the same password in their accounts on different websites. Thus, it is imperative for users to have a different password for each website account.
B. Acquiring User …show more content…
The results yield that basic16 policy, which is composed of at least 16 character passwords, is the most superior. Das et al. (2014) also describes the password policies incorporated on some well-known websites in social, blogging, email, shopping, and financial categories. There are similarities across social, blogging, and email websites wherein majority implements a minimum of 6 and 8 character password policy.
Another approach to password creation is by using mnemonic passwords which is recommended by Kuo et al. (2006). A survey is initiated to create a user generated mnemonic passwords then it is compared with control passwords. An example of mnemonic password
"SWMtM$$!!" is based from a quote "Show me the money!" of Jerry Maguirre movie while a control password can be "atreyu09" from the character Atreyu of The Never Ending Story II movie. The result indicates that 11% out of 146 control passwords are cracked compared to only 4% of 144 mnemonic passwords. However, it is suggested to avoid creating mnemonic phrases that are well-known in the internet.
C. Forensics
When a successful attack is executed on a website through an authenticated, it is important to verify whether the source is from the real account owner or the perpetrator