Password based authentication is no longer sufficient for the security needs of any enterprise. So there is a growing trend among many enterprises globally to move to a stronger authentication solution which provides high level of security with-out compromising the user’s convenience.

1. Risks associated with Password based
Whitepaper
authentication
Password-based authentication is one of the most popular approaches to
authenticate a user in various enterprise applications. But there are many
problems associated with the password based authentication systems and the
risks associated with using passwords as an authentication mechanism for
enterprise applications is not completely secure.
PASSWORD PROBLEM Considering all the risks associated with password based authentication
systems, there is a strong need for enterprises to switch to a stronger
The problem that, secure authentication system which provides security against the various hacking
passwords are difficult to attacks and also which is more convenient and easier to the end user of the
remember and easy-to- system
remember passwords are
easy to break in most cases, Challenges with Password based Authentication:
is referred to as the
1. Easy passwords can be cracked
Password Problem.
The end user’s behaviour such as choosing passwords that are easy to
remember introduces the majority of the password weaknesses. For a hacker,
IDEAL PASSWORD these passwords can easily be cracked or guessed. Surveys show that frequent
passwords are the word ‘password’, personal names of family members,
Today from security names of pets, and dictionary words.
standpoint, the ideal
password is a string of eight
or more random characters, 2. Random passwords can’t be remembered
which includes digits, letters
A random password should not have a content, context, and should not be
with a mixture of upper and
familiar. It can only be learned by using it over and over again. However, since
lower case, and special repetition is a weak way of remembering, users often completely ignore the
characters, is not a recommendations for pseudo-random passwords.
dictionary word and is not
related to personal
information, such as social 3. Remembering Multiple Passwords
security number, street
Moreover, today’s users have to remember more than one password for
address, or birth date.
computers, mail accounts, social media applications, online banking, and much
more. A survey of IT professionals found out that the average IT professional
has to remember approximately five to six passwords and almost 25% of the IT
professional has to manage eight or more passwords. The more passwords a
person has to remember, the chances for remembering any specific password
decreases. Having multiple passwords also increases the chance of
interference among similar passwords. This is especially true for systems that
are not used frequently.

2. Risks associated with Password based authentication - Whitepaper
4. Problems with passwords that needs to be continuously
changed
Computer systems require frequent password changes, to make the system
robust from various attacks. Common techniques require that passwords are
changed every 30 or 90 days. However, the more frequently a password has to
be changed, the harder it will be to remember. Users must think of new
passwords that conform to all of the organization’s requirements but that are
also easy to remember. System-enforced password policies, however, cannot
guarantee password secrecy.
5. Security vs. Ease-of-Use for Passwords
To “solve” the Password Problem, users will try to decrease the memory
burden at the expense of security. Most commonly, the user will write down
passwords, raising the potential of compromise of the passwords. In the case
of multiple systems, users may choose only one password for all systems. This
reduces security and if the password is broken for one computer system, every
single computer system is compromised. Alternatively, users create their own
rules to generate multiple passwords that have something in common, for
example adding a digit to a base word for each new password, which is also an
unsafe method. Weak passwords can be broken by dictionary attacks or
attacks based on knowledge about the password owner. Because of password-
cracker programs, users need to create unpredictable passwords, which are
more difficult to memorize.
6. Shoulder Surfing Attack
Shoulder surfing is looking over someone’s shoulder when they enter a
password or a PIN code. It is an effective way to get information in crowded
places because it is relatively easy to stand next to someone and watch as they
fill out a form, enter a PIN number at an ATM machine, or use a calling card at
a public pay phone. Shoulder surfing can also be done at a distance with the
aid of binoculars or other vision-enhancing devices to know the password.
Shoulder surfing can be done easily on the password system, just by seeing the
keys that the user types.
Page 2

3. Risks associated with Password based authentication - Whitepaper
7. Keyloggers
 Keyloggers are the best example of a spyware, which are installed on
the victim machines without user’s knowledge and monitors all the
keystrokes. Keyloggers can be in one of two different forms - Hardware
device, Small program (spyware).
 As a hardware device, a Keylogger is a small battery-sized plug that
serves as a connector between the user's computer and keyboard. As
the device resembles an ordinary keyboard plug, it is relatively easy to
physically hide such a device "in plain sight." As the user types, the
device collects and saves the keystrokes as text in its own memory. At
a later point of time, the person who installed the Keylogger must
return and physically remove the device in order to access the
information the device has gathered.
 On the other hand a Keylogger program does not require physical
access to the user's computer. It can be downloaded deliberately by
someone who wants to monitor activity on a particular computer or it
can be downloaded accidentally as spyware and executed as part of a
remote administration (RAT) Trojan horse.
 The Keylogger program records each keystroke the user types and
uploads the information over the Internet periodically to the one
installed the program. Once the hacker gets the information from
Keylogger, the hacker can mimic the actual user and there is no way
the authentication server can distinguish the real user and the hacker.
Conclusion:
Considering all the above factors, password based authentication is no longer
sufficient for the security needs of any enterprise. So there is a growing trend
among many enterprises globally to move to a stronger authentication solution
which provides high level of security with-out compromising the user’s
convenience. ArrayShield IDAS Two Factor authentication protects
Organizations from Identity and data theft, hence provides peace of mind.
Page 3

4. Risks associated with Password based authentication - Whitepaper
ABOUT ARRAYSHIELD
Array Shield Technologies is the maker of software security products in the
area of Multi-Factor Authentication. The company’s mission is to provide highly
secure, cost effective and easy to use software security solutions globally.
For more information, visit us at www.arrayshield.com
Page 4