How easy is to break password protection: A preliminary empirical study

摘要

Background: These days, users are given access to information system functionalities through several security mechanisms, passwords being the most common form of access. There are many policies and rules, some stricter than others, to create passwords; however, they still remain vulnerable to attacks. Goal: In order to find out: the vulnerabilities of different passwords complexity levels created for this study, types of passwords used in attacks, and types of attackers and their origins; we conducted an empirical study. Method: This research was conducted through a controlled experiment. The study was based on honeypots emulating a SSH server, which was exposed to attacks for approximately 30 days on the Internet. Results: A large number of attacks were recorded, which were not capable of breaching any passwords complexity level. Conclusion: Although some attacks were carried out by means of sophisticated tools, none password complexity level was breached. We believe that it could be due to the experiment's duration was too short, or that the attackers simply did not have enough motivation to persist in the attempt to breach the access password to a site possibly listed as unattractive.