Identification & Authentication: User Name

& Password, Guessing Password, Password

Attacks-Piggybacking, Shoulder Surfing,
Dumpster Diving:

• In secure system people might want to track the identities of the users
requesting its services.
• Authentication is the process of verifying a user's identity. There exist two
reasons for authenticating a user.
• First, the user identity is a parameter in access control decisions.
• Second, the user identity is recorded when logging security relevant events
in an audit trail.
 Identification & Authentication:
• When the user logged on to a computer, he performs two tasks: -
1)Identification: Enter User Name & Password
2)Authentication: Prove that you are authorized user
• After entering username & password, the computer will compare this input
against the entries stored in password file. Login is successful if username &
password is valid & if wrong then login is fail.
• Many systems count the fail login attempts & prevent or deny next attempt
when threshold has been reached.Now a days, many computer system use
identification & authentication through username & password as first step of
protection. This mechanism is widely accepted because it is not very difficult to
implement.
• But managing password security can be quite expensive & obtaining a valid
password is a common way of gaining unauthorized access to computer system.
• There are three main security processes working together to provide
access to assets in a controlled manner.
• These processes are:

1. Authentication: Often referred to as Identification and

Authentication, determining and validating user identity.
2. Authorization: Providing users with the access to resources that
they are allowed to have and preventing users from accessing
resources that they are not allowed to access.
3. Accounting: Providing an audit trail of user actions. This is
sometimes referred to as auditing.
Guessing Password:
• Password selection is the critical issue because of attacks of guessing
a valid password. Generally attackers are following two basic
password guessing strategies:

1. Exhaustive Search: Here, attacker tries all possible combinations

of valid symbols till certain length. For Example: Brute Force
Attacks.
2. Intelligent Search: Here, attacker searches a password with the
helpof users personal information like name, birth date, family
members name, phone number, etc. Many times attackers tries
popular password. For Example: Dictionary Attacks (Trying all
passwords from dictionary).
• Following are the some techniques for protection can be used by the
users:
1. Default Password: Many times the default accounts like admin has
default passwords like admin. If such passwords are not changed by
system admin then it will help attacker to enter into the system
easily.
2. Length of Password: To avoid exhaustive search, set the length of
password like in UNIX system password length is 8 characters long.
3. Format of Password: Password should have at least combination of
the following elements:
 One or more uppercase letters (A-Z)
 One or more lowercase letters (a-z)
 One or more numbers (0-9)
 One or more special characters or punctuation marks (! @ # $ % & *,
etc.)
- Passwords are case sensitive and the user name or login ID is not case
sensitive.
- Password history requires a number of unique passwords before an
old password may be reused. This number should be no less than 24.
• Maximum password age 60 days
• Minimum password age - 2 days

4. Avoid Obvious Passwords: May attackers have list of

popularpasswords & they can use dictionary attacks to catch the
obvious passwords, hence it is best practice to avoid such kind of
passwords.
Here, are the same techniques that system can
follow to improve password security:
• Password Checkers: In this scheme the system periodically runs its own
password cracker program to find out guessable or weak passwords. If
the systems find any such a password, then system cancels it.
• Password Generation: Many operating Systems can produce Computer
Generated passwords. The passwords are reasonably random in nature &
can be pronounceable.
• Password Aging: In many systems, the password can be set with its
expiry dates. In such system, they force their users to change password
at regular intervals.
• Limit Login Attempts: In many systems, Monitoring mechanisms can be
used to check unsuccessful login attempts. If found, then lock the user
accounts completely or at least for certain time period. This will prevent
& discourage further attempts
Password Attacks:
• Major Security problems are because of users/people involved in security.
The heart of any security system is people. They deal with new
technological controls that can usually be bypassed by human intervention.
• In computer security, social engineering is a term that describes a non
technical kind of intrusion. It relies mainly on human interaction. it often
involves tricking other people to break normal security procedures.
• Following are the different Password Attacks:
1. Piggybacking:
• Piggy-backing is the simple process of following closely behind a person
who has just used their own access card or PIN to gain physical access to a
room or building.
• An attacker can thus gain access to the facility without having to know the
access code or having to acquire an access card.
• Piggybacking can be defeated by logging out before walking away
from a workstation or terminal or by initiating a screensaver that
requires re- authentication when resuming.
• Piggybacking, in a wireless communications context, is the
unauthorized access of a wireless LAN.
2. Shoulder Surfing:
• Shoulder surfing is a similar procedure in which attackers position
themselves in such a way as-to be-able to observe the authorized
user entering the correct access code or data.
• Both of these attack techniques can be easily countered by using
simple procedures to ensure nobody follows you too closely or is in a
position to observe your actions.
• Shoulder surfing is using direct observation techniques, such as
looking over someone's shoulder, to get information.
• Shoulder surfing is an effective way to get information in crowded
places because it's relatively easy to stand next to someone and watch
as they fill out a form, enter a PIN number at an ATM machine.
• Shoulder surfing can also be done long-distance with the idea of
binoculars or other vision-enhancing devices.
• To prevent shoulder surfing, experts recommend that you shield paper
work or your keypad from view by using your body or cupping your
hand.
3. Dumpster Diving:
• System attackers need certain amount of information before launching
their attack. Dumpster Diving is the process of going through a target
trash in order finds little bits of information. In the world of information
technology, dumpster diving is a technique used to retrieve information
that could be used to carry out an attack on a computer network. The
process of going through target's thrash is known as dumpster diving.
• The search is carried out in waste paper, electronic waste such as old
HDD, floppy and CD media recycle and trash bins on the systems etc.

• If the attacker is lucky, the target has poor security process they may
succeed in finding user ID's and passwords. If the password is
changed and old password is discarded, lucky dumpster driver may
get valuable clue.

• It can use access codes, sticky notes phone list, calendar, and
organization chart to assist attacker to gain access to the network.

• Destroy or Remove unused/used information from premises, which

prevent dumpster divers from learning anything.