Authentication: Something One Knows
Several significant threats are associated with the use of passwords:
- Shoulder surfing (= spying over the shoulder) at someone's keyboard.
- Reading the password off of printer paper.
- Sniffing the password in transit or in RAM (i.e., accessing main memory while the password is still stored there.)
- Retrieving the authentication database and extracting the password (if the database isn't encrypted.)
- Hacking the password:
- Guessing out.
- Exhaustive (= brute-force) attack: checking all possible passwords using a loop.
- Dictionary attacks: checking out a set of commonly-used passwords.
- Inferring likely passwords/answers knowing the user's identity, personality, hobbies, etc.
- Using Rainbow tables: precomputed tables for reversing password encryption.
- Finding how a password is stored (e.g., encrypted or not,) which helps in using one of the above methods.