T 5.9 Unauthorised use of IT systems

Without mechanisms for the identification and authentication of users, any control over unauthorised use of IT systems is practically not possible. Even for IT systems provided using identification and authentication mechanisms in the form of user IDs and password verification, there is a risk of unauthorised use, if passwords and user IDs get disclosed.

In order to guess the secret password, unauthorised persons could enter a possible password during the log-in process. Afterwards, the response of the IT system would show, whether the password was correct or not. In this way, passwords could be detected by trial.

However, taking a suitable word as a password and trying out all user IDs is a much more efficient approach. If the number of users is large enough, a valid combination is often found in this manner.

If the identification and authentication function can be abused, it is even possible to initiate automatic attempts by developing a program which systematically tests all conceivable passwords.

Example:

In 1988, the Internet worm exploited a vulnerability of the respective Unix operating system to find valid passwords although the passwords were stored encrypted. To achieve this, the program tried all entries of a dictionary by encrypting them with the local encoding function and comparing them with the stored encrypted passwords. Where a correspondence was found, a valid password had been detected.