Authentication is the identification of a specific user in order to provide them with access to the areas or data that they are permitted.
Authentication could be via a password, passcode, ID smart card, fingerprint or retina scan etc.
Passwords can be cracked by an attacker via different techniques including:
Brute Force Attack – This consists of attempting as many character combinations as possible in the hope that eventually the correct combination of the password will be found and access will then be granted.
A Dictionary attack is a form of brute force attack where all words contained within the dictionary are attempted as a list of possible passwords.
In order to make passwords more difficult to crack, standard words should not be used, a combination of letters, numbers and characters should be used and the password should be as long as possible which all help in making cracking the password more difficult. Also, the password should be changed regularly and basic security processes, such as not writing the password down, should be employed.
When a password is reset, it should be completed in a secure manner to ensure that the user is allowed to set it, possibly by entering their original password within the system before being permitted to change to the new one and the new password should not be communicated by the system once changed.
A Passcode (or Personal Identification Number PIN) are normally 4 or 6 digits making them potentially easier to crack than a password when subjected to a brute force attack.
Manufacturers of mobile phones often employ this type of security to access their devices and, because of the potential of brute force attacks, often build a limit to the number of incorrect attempts before the device is either locked or permanently erased.
Web Server Authentication
Microsoft Internet Information Server provides different methods for user authentication when attempting to access a web server.
They can access anonymously which provides access to a website with no requirement for a user name or password. This uses an account named IUSR and the password is controlled by the Information Server.
The Basic authentication can be used and requires a user name and password that is sent in plain text Base64 encoding and therefore is regarded as an insecure method of authentication. Digital certificates can be used if the user name and password needs to be encrypted.
Integrated Windows authentication was previously known as NTLM authentication and, if prompted to enter a user name and password, the details are not transmitted to the server, no further authentication is required is the user has logged onto the computer as a domain user.
Digest Authentication sends the password in an encrypted format through a challenge/response mechanism also used by Integrated Windows Authentication. This type of authentication requires IE5 or later.
Client Certificate Mapping uses a digital certificate that contains information to the user account via Active Directory or by using rules within the Internet Information Server.
Other Types of Authentication
A digital certificate is an electronic document that contains the user details with a public key that can be used to identify the specific user from another.
A Smart Card is a credit card sized card that contains a memory storage device that can contain a digital certificate allowing authentication of the specific user when it is placed upon a smart card reader connected to the security access system.
A security token may be a USB device or key fob that can contain a password or digital certificate that can be used to authenticate the user when inserted into the system to be accessed.
When using Biometrics as a form of authentication, it is possible to identify an individual from a physical characteristic such as fingerprint, facial, or retina recognition along with others, however, these types of system often do not identify the user when it should (false negative) and may identify users when it should not (false positive).
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or
via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any
computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited
to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.