Types of Attacks:

• Cracking – the act of guessing a user’s password

• Brute-force attack – a hacker makes a series of attempts to crack a user’s password and achieve a successful login

• Dictionary attack – the hacker uses a wordlist containing known or suspected passwords to increase the chance of a successful guess.

  A hacker can add entries to their dictionary by:

                      – Identifying common words, such as password
  
  
                              – Spidering, or searching an organization’s website to identify common terms                             within the organization
  
                         – Obtaining known passwords from a successful hack of a different site
  

Hashing:

An algorithm is used to generate a number called a hash, from a text string

• Hashing helps to secure passwords because a hash cannot be decrypted back to its original form.
• To crack a hashed password, hackers use a rainbow table attack

A password is considered weak if it meets one of the following conditions:

– The password is less than eight characters long

– The password consists of only one type of characters, such as only letters

– The password is a common word or phrase

– The password contains repeated characters or simple sequences

– The password contains common character substitutions

The Frequently required policies section is divided into four parts

• Password policies govern the strength of user passwords
• CAPTCHA policies test whether a person entered the password
• Lockout policies define system behavior when a user enters an incorrect password. Lockouts can slow or prevent a brute-force attack
• Audit policy determines the amount of detail written to the system log for a security issue

Other policies

• The settings in the Other policies section of the Security Policies tab allow you to implement multi-factor authentication and disable access for unused user accounts.