next up previous
Next: User Problems: Up: Changing Passwords Previous: Security Measure:

Security Goals:

Password-guessing attacks such as the common dictionary attack are hindered by the ``moving target'' of the changing password. Dictionary attacks occur when an attacker attempts to guess the password using a ``dictionary" of common passwords to make educated guesses. This can be compared to a brute force attack in which the attacker tries all possible passwords. Since dictionary attacks and brute force attacks requires either significant amounts of computing power or time, the idea is to change the password before an attacker can guess it.

There is also hope that this will reduce the risk of undetected security intrusions. In theory, any attacker who gains access will lose it when the password is changed.

Unfortunately, this seems unlikely to help in many cases. Although it is possible that changing the password after an intrusion has occurred will oust the attacker, it is usually trivial for an attacker to install a malicious code onto the system once he or she has gained access. This could be a ``back door" so that an attacker can pass through without needing to enter using a regular user's password again, or something that logs all the keystrokes a user makes, including those involved in changing the password. As such, changing the password is not usually sufficient if an intrusion has occurred, and should not be counted upon to limit the damage from undetected intrusions.


next up previous
Next: User Problems: Up: Changing Passwords Previous: Security Measure:
Terri 2004-01-05