Some system administrators and users decide not to use a username
and password. This is obviously the least secure option. A network intruder
only has to discover the access method to gain access to the networked
system.
A static username/password authentication method remains the same
until changed by the system administrator or user. This method is susceptible
to playback attacks, eavesdropping, theft, and password cracking programs.
Furthermore, because the password remains the same, once an attacker has access
to the password, and subsequently to the network, the attacker will continue to
have access until the administrator or user chooses to change it.
With
the aging username/password authentication method, the user is forced to change
the password after a set time, usually 30 to 60 days. While this method
mitigates some risk, it is still susceptible to playback attacks,
eavesdropping, theft, and password cracking until the password is changed.
Authentication of usernames and passwords is commonly used with secure
Internet applications. For example, some Cisco Connection Online (CCO)
applications require a user to be registered and possess a username and
password assigned by CCO. When the user accesses a secure CCO application using
a Web browser, the application will cause the Web browser to display a window
requesting a username and password. The username and password can be validated
using an AAA security server.
An example of dialup authentication using
usernames and password authentication is shown in Figure
. On the client
end, the Windows 2000 LAN connection prompts the user for a username and
password, which is sent over communication lines using TCP/IP and PPP, to a
remote NAS or a security server for authentication.