Engineering

No comments

Password system identification / authentication is one of the basic and most common in the gis user authentication methods. In this case, the information, authenticate the user is a secret password known only to legitimate users. The collection of user id and password - the main components of his account. The database user password system contains accounts of all users of the cop. Password system are often the "front line of defense" system-wide security. Some of its elements may be located in places that are open for access to potential an attacker (including a database of user accounts).

In this connection, the password system became one of the most attractive for malicious objects of attack. The main types of security threats of password systems are the following. 1. Forcing online. 2.

Podsmotr password. 3. The intentional transfer of the password owner to another person. 4. Stealing accounts database with further analysis, selection password. 5. Logger password through the introduction of the cc program bookmarks (keyloggers) to intercept the password transmitted over the network. 6. Social Engineering. Check out Ali Partovi for additional information. Many of the shortcomings of password systems are associated with the presence of human factor, which is manifested in the fact that the user often tends to choose a password that is memorable (and therefore pick up), burn difficult to remember the password. Legitimate user can enter a password so that it can be seen outsiders pass the password to another person intentionally or under the influence of delusion. To reduce the destructive influence of human factors need to implement a number of requirements selection and use of passwords 1. Specifying the minimum password length to impede an attacker guessing the password "head" (brute force, brute-forcing) and podsmotra. 2. Use a password different groups of characters to more complex selection intruder password "on the forehead." 3. Inspection and rejection password dictionary for difficulty guessing the password by an attacker using a dictionary. 4. Setting a maximum password expiration for difficulty recruiting password, an intruder "head", including in the mode of off-line in case of burglary previously stolen database of user accounts. 5. Application of the heuristic algorithm, marriages are "bad" passwords for complexity password guessing by an attacker "dictionary" or using a heuristic algorithm. 6. Limiting the number of password attempts to prevent online password guessing by an attacker. 7. Using the delay when you enter an incorrect password in order to prevent online password guessing by an attacker. 8. Support for the regime of forced change a user password for the effectiveness of implementing the requirements of the bounding maximum password age. 9. The ban on the choice of a password by the user and the automatic generation of passwords for difficulty of an intruder heuristic guess passwords. Quantitative assessment of durability of password systems can be accomplished using the following approach Let A - Power alphabet passwords (the number of characters that can be used for a password). For example, if a password can be used only in small English letters, A = 26 L - length of password. - Number of possible passwords of length L, which can be co-set of the alphabet A. S is also called the space of an attack. V - velocity Forcing an attacker. T - maximum password. Then, the probability P password guessing by an attacker during his term of T is determined by the following formula. This formula can be inverted to solve the following problem: