Computer Science
Passwords
Passwords are strings of characters used to authenticate a user's identity and grant access to a system or account. They serve as a form of security by requiring individuals to prove their identity before gaining entry. Strong passwords typically include a combination of letters, numbers, and special characters to enhance security.
Written by Perlego with AI-assistance
Related key terms
1 of 5
9 Key excerpts on "Passwords"
eBook - PDF- Joseph Steinberg(Author)
- 2019(Publication Date)
- For Dummies(Publisher)
Passwords: The Primary Form of Authentication Password authentication refers to the process of verifying the identity of a user (whether human or computer process) by asking that user to supply a password — that is, a previously-agreed-upon secret piece of information — that ostensibly the party authenticating would only know if he or she were truly the party who it claimed to be. While the term password implies that the information consists of a single word, today’s Passwords can include combinations of characters that don’t form words in any spoken or written language. IN THIS CHAPTER » Selecting Passwords » Discovering how often you need to change Passwords — or not » Storing Passwords » Finding alternatives to Passwords 118 PART 3 Protecting Yourself from Yourself Despite the availability for decades of many other authentication approaches and technologies — many of which offer significant advantages over Passwords — Passwords remain de facto worldwide standard for authenticating people online. Repeated predictions of the demise of Passwords have been proven untrue, and the number of Passwords in use grows every day. Because password authentication is so common and because so many data breaches have resulted in the compromise of password databases, the topic has received significant media attention, with reports often spreading various mis- leading information. Gaining a proper understanding of the realm of Passwords is important if you want to be cybersecure. Avoiding Simplistic Passwords Passwords only secure systems if unauthorized parties can’t easily guess them.
eBook - PDFPasswords
Philology, Security, Authentication
- Brian Lennon(Author)
- 2018(Publication Date)
- Belknap Press(Publisher)
In most designs, this is accomplished by comparing user input with a stored system record synchronized with the user at the time that an authorized account was established. For this reason, the earliest technical attacks on password systems were directed at that stored record itself. This is precisely why what we call words —the lex-emes of a particular human language and writing system, marked by statistical unit frequency patterns of various kinds (letters, digraphs, tri-graphs) that computers can analyze quickly and efficiently—make the weakest and thus least suitable Passwords. Taking advantage of the dif-ficulty of memorizing random information, and the tendency for users to select actual (often personally meaningful) words as Passwords, so- called dictionary attacks simply submit all the entries in a compiled dic-tionary to an authentication mechanism. 35 Encryption or hashing of Passwords adds little security to any password found in a dictionary if an attacker is able to generate cryptographic hashes of dictionary words themselves (in other words, to hash the entire dictionary) and compare these hashes with the hash signatures in a password record file. 36 Rooted in widespread consumer and enterprise ignorance when it comes to how authentication mechanisms operate and how they can be 12 • P A S S W O R D S compromised, poor judgment in selecting Passwords is now considered a security threat of the highest order, with the intractability of the problem spurring many recent commentators to declare password authentication fundamentally broken.
eBook - PDFInnocent Code
A Security Wake-Up Call for Web Programmers
- Sverre H. Huseby(Author)
- 2004(Publication Date)
- Wiley(Publisher)
The credentials are a proof of identity. In some high-security applications, such as on-line banks, Passwords are not considered good enough. One of the main objections against Passwords is that Passwords are static: the same credential is used for every log-in. An attacker that learns the password may abuse it whenever he likes, without the owner or the server knowing it. Banks typically combine the password—which is something known—with a possessed item, such as a list of one-time codes, a device for calculating access codes, or a file containing a private key. When such combined authentication schemes are used, an attacker will need both access to the item (or a copy of it, if possible), and knowledge of the password. Different schemes for authentication is not the topic of this book, but as pure password authentication is used extensively in web sites, let’s have a look at what some of us tend to do wrong when it comes to coding that kind of authentication. 6.2.1 On clear-text Passwords How many sites, servers or systems do you log-in to regularly? On how many sites, servers or systems have you registered with a user name and password? Quite some number, I guess. Now, how many different Passwords do you use? Most of us have been told many times to use different Passwords everywhere. Password-based Authentication 143 I keep wondering who invented that impossible rule; it goes without saying that we need to reuse some of our Passwords on multiple sites, since our brains are not computers. Programs are available that help us remember all the Passwords we need. One may even use a regular text file protected by a master password to store all the Passwords. As most people do not use such schemes, we should assume that Passwords are reused. What’s my point? Let’s say someone with access to the database at the site takes a peek into the password table. Or let’s say that someone cracks into the database and gets hold of all the Passwords.
eBook - PDFGrid Computing
Techniques and Applications
- Barry Wilkinson(Author)
- 2009(Publication Date)
- Chapman and Hall/CRC(Publisher)
If the username and password are valid, access is granted. As an aside, the password needs to be significantly complex to reduce the pos-sibility of discovering it by simple exhaustive search or from other user information or behavior. For example, all words in a dictionary should not be acceptable by the system as a password, as a computer program could simply go through the dictionary. Exhaustive searches can be counteracted by only allowing a certain number of login attempts, say three attempts before access is permanently denied. Passwords are usually case sensitive and will accept symbols. That feature should be utilized in choosing the password. A sufficient number of characters should be used, at least eight characters. Coming back to user-system interface, suppose the username is not valid. A possible dialog could be login as: abw There is no such user login as: This certainly tells the user that his username is not accepted and authentication failed. A different login prompt behavior SECURITY CONCEPTS 119 login as: abw password: ******** Access denied login as: is much better. It is more secure because it reveals less information to a potential intruder. Now it is only known that either the username or the password, or both, are invalid. 4.1.3 Encryption and Decryption A critical fact for a secure system is how the username and password information is sent through the network to the server. If the username and password are sent in plain text, they are vulnerable to being intercepted along the network. Other computers can be attached directly to the local connection, and as the information moves outside the local network, it passes through intermediate computers as it gets routed to its final destination. Programs exist that can monitor traffic on networks, which could be used to recognize username-password sequences, steal them, and use them. A system is needed in which one can be sure of the integrity of the information being sent.
eBook - PDF- Henry M. Walker(Author)
- 2012(Publication Date)
- Chapman and Hall/CRC(Publisher)
Thus, networked computers utilize a system of file permissions . Different operating systems follow distinct approaches to file permissions, and users within networked environments must be careful to set permissions appropriately. Access from the outside requires a connection through the Internet, so we must work to block unauthorized connections. Control of Internet connections is the normal province of a firewall , and we will need to discuss this technology at some length. Altogether, Passwords, firewalls, and permissions offer some safeguards regarding the access of individuals to specific files. However, carelessness and software defects can still lead to the unauthorized access of information. Thus, a different approach for the protection of data involves the encoding of information, so only authorized users can make any sense of the information present. This leads to the sophisticated and complex area of encryption . We now look at each of these issues in some detail. How well do password systems work? With an individual computer (Figure 11.1a) or a computer within a network (Figure 11.1b), limiting access to data requires that a computer distinguish one person from another. For example, if multiple people will be using one computer, each person can be given a separate computer account and password. The system then operates under the assumption that each When Can I Consider My Personal Data Secure? ◾ 309 individual knows her or his password but others do not. Data are restricted when a potential intruder cannot supply the required access code. Unfortunately, password systems often work better in theory than in practice for several reasons. • Users often choose codes that are easily guessed, because they do not want to forget their own Passwords. Common favorites include their own names or nicknames (sometimes repeated twice), names of relatives or friends, well-known dates (e.g., birthdays, anniversaries), and popular words or phrases.
eBook - PDF- April J. Wells(Author)
- 2007(Publication Date)
- CRC Press(Publisher)
It is important that this challenge question not be something that is either easily guessable or easily researchable (for example, your mother’s maiden name) because that would be simple enough for someone who really wanted to gain a user’s access to the system to determine. There are several different tools and methodologies one can use to authenticate user identity, to include the following. Passwords and Personal Identification Numbers Passwords and personal identification numbers (PIN numbers) are examples of authentication based on something that the user (and in theory only the user) should know. It is the lowest level and least secure method of authentication. Password security is usually one of the first levels of security that a user comes into contact with when accessing a computer or the network. The combination of user ID (or bank account number, for example) and password or PIN number will allow someone to access a network or a bank account to some degree. Security n 73 In many organizations, this is where security often stops. Once the user is authenticated to the network, that user can do anything that he is permitted to do without any further authentication or with minimal other authentication (more user IDs and Passwords) necessary. However, Passwords are often easily compromised. Users are notorious for using weak Passwords (Passwords that are children’s or spouse’s names, anniversary dates, or simply an easily guessed string of numbers). Some security models require strong Passwords. This means that rules in place govern when Passwords expire, whether the word can be a dictionary-recognizable word, whether uppercase letters are allowed, numbers and special characters are neces-sary, and how often a password can be reused. While this does not preclude a user from circumventing the system (using @pple instead of apple, for example), it does make guessing Passwords less simple for someone trying to access a system as someone else.
eBook - PDF- Sabu M. Thampi, Bharat Bhargava, Pradeep K. Atrey, Sabu M. Thampi, Bharat Bhargava, Pradeep K. Atrey(Authors)
- 2013(Publication Date)
- Chapman and Hall/CRC(Publisher)
Each of these systems has its own strengths and weaknesses [7–10]. 451 Password Security and Protection Traditional alphanumeric Passwords are the ones that are most commonly used and understood. Users have been utilizing these for decades and sub-sequently feel very comfortable using them [11]. They are also the most cost effective and convenient to implement because of their general lack of complexity. However, they are also the most vulnerable, because they have been employed for so long, various methods of bypassing them have been developed for nefarious purposes [12]. These Passwords form three main sub-categories: (1) word-only Passwords , where only letters can be used; (2) mixed Passwords , where letters, numbers, and symbols can be employed; and (3) symbol-based Passwords , where only special characters are permitted. All of these rely on the well-known system of utilizing a username, password, and verification of a user’s identity [13]. Dynamic Passwords also employ an alphanumeric sequence and user-name to facilitate authentication; however, they utilize an additional layer of security to prevent attacks. Typically, a user will authenticate him- or her-self using a password and username via a secure channel and will then be issued with a second dynamic password. This password can only be used once, and is usually only valid for a fixed length of time or until the user logs off. Dynamic Passwords will change each time a user attempts to be authenticated [9]. In this way, repeat attacks are prevented, as the same pass-phrase cannot be used twice. This technique is often coupled with a token of some kind, a small device detached from a user’s PC, which can display the dynamic password to the user discreetly [14]. The channel that the user attains the dynamic password from is usually separated completely from the secure system that the password is used to access, often on internal network. This layered approach reduces the chances of a successful attack [15].
eBook - PDF- Asoke K. Talukder, Manish Chaitanya(Authors)
- 2008(Publication Date)
- Auerbach Publications(Publisher)
As long as the authentication is successful, anybody can use the phone and make calls, whereas in case of a computer, the user is authenticated but not the device being used. The user can move from one computer to another computer and still use the same application. When a device is authenticated, the challenge is posed by an authenticator machine to the device. In such cases complex algo-rithms can be used; also, large complex Passwords can be used. However, the same is not true for data networks simply because in data networks the user is authenticated and human users cannot face very complex challenges, and they cannot remember complex Passwords. We will illustrate these through different types of authentication attacks. 1.3.2.1 Dictionary Attack If you visit the University of Illinois at Chicago (UIC) safe password site (choosing a safe pass-word—http://www.uic.edu/depts/accc/accts/password.html), you will notice directives such as Password Rules, which states in its third point, “Cannot be based on your name, netid, or on words found in a dictionary.” The same page also lists 25 easy-to-guess Passwords that start with Security in Software Systems 11 your name. The challenge is, a password has to be remembered by the user; generally, human beings cannot remember cryptic, long, meaningless strings of characters. Human beings can remember words or sequences of letters that they can relate to. Therefore, people have a tendency to choose Passwords that are easy to remember, short, and a single word that can be found in a dic-tionary. A dictionary attack is a technique for defeating an authentication mechanism by trying to determine the password by searching a large number of possibilities from dictionaries of different languages.
- Jonathan S. Held, John Bowers(Authors)
- 2001(Publication Date)
- Auerbach Publications(Publisher)
Chapter 2 has hopefully convinced you of the need for a strong public password policy. To help us become better acquainted with issues related to this topic, we begin with a look at Passwords from the perspective of a hacker (one operating from the inside) and what the hacker is up against. We take a brief look at the mathematics behind Passwords to learn what type of compute time is required before Passwords are compromised, and then we examine how access is mediated on UNIX/Linux machines. Our discussion here focuses on password file format, the use of shadowed password files, and tools and types of attacks that hackers use to break Passwords. We next explore password usage on Microsoft Corporation’s Windows machines. You will learn about some of the Windows 95 and 98 insecurities (although these systems were never designed with the intent of really being secure) and the Windows NT Security Accounts Manager (SAM) database. Finally, we conclude with a list of rules for creating good Passwords and a review of password generators and utilities that can assist the system administrator. The Mathematics of Passwords In 1965, Gordon Moore was preparing a speech when he made a memorable observation. He noted that the amount of data storage that a microchip could hold was doubling about every 12 months. While the timeframe within which this occurs has slipped to the right somewhat (this phenomenon now occurs every 18 to 24 months) and the frequency with which it occurs will be challenged in the very near future, the trend has continued and his observation, now known as Moore’s law, is still remarkably accurate. With the doubling of transistor capacity came a profound, exponential increase in computing power. The days of having to schedule batch jobs for invaluable, expensive processor time were over and a new era — one char-acterized by obsolescence — began.
Index pages curate the most relevant extracts from our library of academic textbooks. They’ve been created using an in-house natural language model (NLM), each adding context and meaning to key research topics.
