Weak Passwords
There is a constant trade-off between passwords' goodness and ease of use. Any software system that uses passwords poses a security risk. The problem can become even worse if passwords are handled poorly, but there are ways to handle passwords correctly that can mitigate many of the problems associated with a weak authentication mechanism.
Password-based systems suffer from many problems. Here are some examples:
The password is a portable, single-factor authentication method that can be compromised by tricking the user into revealing the password.
Weak passwords and iterated passwords: Weak passwords are easily guessable by an attacker.
Any compromised password will remain compromised indefinitely if passwords are not changed frequently.
The default passwords that are provided to users are common, irrespective of the user.
In a replay attack, someone is able to obtain the traffic between the user and server application and then send the packets again to obtain the same access as the user.
In the case of password storage and brute force attacks, the passwords are at risk if the storage is compromised by brute force.
It makes it easier to filter out attempts made by an attacker and password cracking can occur more frequently.
In order to ensure more password security, the redemption steps are as follows:
Passwords should not be stored in memory for longer than necessary if your application handles them.
Your application should enforce password complexity, history, and length requirements.
Passwords should not be set by default.
Encapsulating authentication attempts inside of a protected channel, such as SSL/TLS or IPSec, is the primary defence against replay attacks.
As a first step in preventing online attacks, it is important to not disclose user names to attackers. Their task is significantly more difficult if they must guess both user names and passwords.
Forgotten passwords can be solved by allowing a reset -- do not ever return the existing password.