Researching is critical to filling in your understanding of an idea; it helps you to understand the scope of something and provides verification. The importance of going out into the world, consulting professional experts and amateur communities alike, cannot really be understated if your intent is to find out the objective truth, or something close to it. With that said, it will always be helpful to consider what you know, or think you know, about a subject prior to embarking on the research journey. In the rest of this post I will discuss three parts of password authentication that I knew going into this project.
1: People will choose weak passwords if given the chance. Probably a given to anyone even slightly technologically savvy, people tend to be lazy and will generally choose the quick easy unsafe option over the complex and difficult hard option, especially in password security where the implications of their choices may never confront them. Password requirements can help to alleviate this problem but only if properly implemented.
2: Password dumps have changed the game for password crackers. With the sheer number of real world password dumps publicly available, clever individuals have been able to craft hybrid password cracking software that intelligently combines dictionary and brute force attacks. For example, if one trend is that passwords tend to be two words followed by a four digit date (probably 19xx), rules can be developed to take advantage of that {word1}{word2}{19xx}. These sorts of intelligent attacks will only improve with time as more passwords become available.
3: Software developers MUST be sure that their products remain updated with current standards. As hashing algorithms and password authentication systems become obsolete it is on the developers to bring their software up to date. I would never use a piece of software if I knew that it used outdated/vulnerable systems, but that information is hard to find (and should be).
No comments:
Post a Comment