How do you ensure that the user
chooses a sound password, of sufficient difficulty that attackers cannot use it as a
possible attack route? Furthermore, how do you deal with the inevitable event of the
user forgetting his password? Both topics are covered in detail in this section.
Testing Password Guessability with the CrackLib Library
In an ill-conceived effort to prevent forgetting their passwords, users tend to choose
something easy to remember, such as the name of their dog, their mother??™s maiden
name, or even their own name or age. Ironically, this practice often doesn??™t help users
to remember the password and, even worse, offers attackers a rather simple route
into an otherwise restricted system, either by researching the user??™s background and
attempting various passwords until the correct one is found, or by using brute force
to discern the password through numerous repeated attempts. In either case, the
CHAPTER 14 ?– AUTHENTICATING YOUR USERS 381
password typically is broken because the user has chosen a password that is easily
guessable, resulting in the possible compromise of not only the user??™s personal data,
but also the system itself.
Reducing the possibility that such easily guessable passwords could be introduced
into the system is quite simple, by turning the procedure of unchallenged
password creation into one of automated password approval.
Pages:
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459