Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Password Standard » 5. Password Vulnerabilities and Attacks

5. Password Vulnerabilities and Attacks

This section briefly reviews relevant concepts relating to the use of passwords for authentication, focusing on those that are important to section 6. General concepts relating to online authentication are found in the Authentication Key Strengths Standard.

A number of possible vulnerabilities arise from the use of passwords:

  • they could be guessed
  • they could be forgotten
  • they could be shared
  • they could be written down and subsequently lost or stolen.

Measures mitigating one of these vulnerabilities can increase exposure to another. For example, strong passwords can be difficult to remember and this may lead to their being forgotten or written down and subsequently stolen.

5.1 Password attacks

The primary attacks against passwords considered in this Standard are brute force guessing attacks, common password attacks, dictionary attacks, and pre-knowledge guessing attacks. The use of strong passwords, system protection of password files, and logon failure management measures provides protection against such attacks. Logon audit requirements must be sourced from the Authentication Key Strengths Standard. Authentication protocol attacks for the exchange of the password between the customer and the verifier are also covered in the Authentication Key Strengths Standard.

5.2 Other attacks

Strong passwords do not afford protection against key logger, phishing and shoulder surfing attacks. These attacks relate to the use of passwords and are forms of general attacks considered in the Authentication Key Strengths Standard.

Education and advice for the customer are methods to combat these attacks. For example, advice on key logger attacks would cover the security of the customer’s computing environment, while education mitigates threats from phishing and shoulder surfing attacks.

This list of attacks is not meant to be complete and attacks continue to evolve and to be developed. Agencies implementing online services are advised to contact the Centre for Critical Infrastructure Protection or the GCSB, in addition to referring to SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006, AS/NZS ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004. Appendix A provides more information on password advice for online service customers.

[ Previous ] [ Next ]