Password$-$based authentication is still the most popular method of access control. Methods based

on passwords have numerous advantages: low implementation cost, ease of passwords

change, reconfigurability, lack of any external systems to depend on$.$ Passwords can be

memorized, so it is not easy to steal them, unlike tokens or ID cards. Passwords are hard to recover,

for example by means of reverse engineering, on condition that the password satisfies certain

quality criteria. Passwords, which are short or too simple to guess, must not be used. This

laboratory session aims to show the vulnerabilities to password$-$based authentication. We will

evaluate passwords, which are too short or too simple. Short phrases or dictionary words must be

avoided. This laboratory is not a hacking tutorial $$its sole objective is to show, that common

software can be used to break a password by brute force attack or to recover it by other means,

such as a dictionary attack. The lab also aims to show that strong passwords need to be enforced

in all systems as a common security control, by means of an appropriate security policy.