 |
|
| ||||||||||||||||||||||||||
|
|
| ||||||||||||||||||||||||||
|
|
|
|
|
| ||||||||
A password is a form of authentication which uses secret data to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly. For instance, historically in wartime, sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password.
In modern times, passwords are used to control access to protected computer systems, mobile phones, TV decoders, automatic teller machines, etc. Examples include logons to computer systems such as email servers, or a personal identification number (PIN) at a bank cash machine or, in fiction, Illya Kuryakin 'proving' his identity to the U.N.C.L.E. security door with a code word.
Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desireable property). Note that password is often used to describe what would be more accurately called a pass phrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the PIN commonly used for ATM access.
In controlling access to anything, a trade-off is made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password policy are affected by several factors addressed below. However, there is no best way to set a proper balance between security and convenience. For example, a password used to protect a personal mobile telephone might not need to be changed as often as an administrator password for a large corporate computer network.
Sometimes (for example, for a password-protected mobile phone), there is a single password controlling access. However, in the case of a computer system, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he/she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short.
For a computer system, multiple passwords (and distinct users) is usually preferable to having a single password shared by all (or some of) legitimate users of the system. This is partly because if many people know a password, it is more likely that the password will become known to others and the system become compromised. Single passwords are also much less convenient to change if that becomes necessary (because more people need to be told), and they make removal of a particular user's access more difficult. It is often surprisingly difficult to match real world policy issues and concerns (e.g., joining or leaving a group of users sharing a password) with access control mechanism(s).
The security of a password protected system depends on several factors, all of which are tied to keeping the password completely secret.
Forcing users to change passwords frequently (monthly or even more often) ensures that a valid password in the wrong hands will expire and become unusable quickly. Many operating systems provide such features, though they are not universally used.
Although this has security benefits, forcing password change too frequently makes users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse their penultimate password, which mostly negates any added security benefit. Implementing such a policy requires careful consideration of human factors.
An extreme form of this approach is to have passwords which are only valid once. This makes many potential attacks ineffective. Several such systems have been designed, and some of them are in production use. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as TANs. As most home users only perform a small number of transactions each week, the single use issue has not lead to significant customer dissatisfacion in this case.
Passwords can be vulnerable to snooping while being transmitted to the authenticating machine or person. In an extreme case, a password transmitted by publication in a large circulation newspaper, will be entirely insecure. If the password is carried as electrical signals on physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by any of a variety of wire tapping methods and will also be insecure, though less obviously so. This may be tolerable in some cases. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection. This is less likely to be tolerable.
See cryptography for ways in which the passing of information can be made more secure in the face of assorted snooping methods.
Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed.
Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail or threats. Approximate password length can be discovered even without shoulder surfing by simply counting keyboard clicks or noting finger motions.
Active theft/snoop/extortion preemption measures such as automatic expiry of passwords can work (eventually) even in cases in which a password is compromised without its owner being aware of it. This precaution annoys many users and so is used far less often than a concern for security would suggest. And dumpster diving is surprisingly fruitful for situations in which sensitive printed data is discarded with insufficient precaution.
Obtaining passwords by psychological manipulation of users is an example of social engineering. "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" works astonishingly often.
The most secure passwords are long, random collections of characters (including upper and lower case, numbers and other symbols if allowed), which are, unfortunately from a security perspective, quite hard for most people to remember. Users with such passwords are mightily tempted to stick a Post-it note to their display, and a password that has been written down is no longer as secure, depending on what threats are encountered. Most observers regard written down passwords as necessarily insecure.
Forcing users to use system created 'random passwords' ensures the password will have no connection with that user (and thus will be hard to guess from knowledge of the user), and shouldn't be findable in any dictionary (thus ruling out 'dictionary attacks'). Several operating systems have included such a feature. It is helpful from a security viewpoint. However, such passwords are very hard for users to remember, and therefore this measure has been self-defeating in practice as annoyed users write them down. This is not helpful from a security viewpoint. An ideal balance is not easy to find.
Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wire tapping) before the new password can even be installed in the password database. If the new password is given (even securely) to a compromised employee, it will likely be lost (this sort of problem is publicly known to have happened many times at assorted organizations, companies, etc). Nonetheless, new passwords are often given to users over the (insecure) telephone as a result of a demand for convenience.
If the system stores every password in a cryptographically protected form, then access to the actual password will be difficult for a snooper (or a snooper's program) poking around within the system, whilst validation still remains possible.
However, even when using adequate crypto procedures to provide increased security, no password system can be totally immune to attack. There exist tools which can determine some plaintext passwords, given a copy of the file containing the encrypted ones. By comparing the encrypted outcome of every word (and many word variations) from some word collection (like a dictionary), a program can automatically attack many computer systems. This is a variant of a brute force attack in which all possible passwords are tried (or, in the case of a dictionary attack, a sizeable number are tried). These dictionary attack tools demonstrate by existence the relative strengths of different password choices against such attacks.
The usual cryptographic scheme does not store the plaintext password at all, instead storing only a hashed form of the plaintext password. Such a hash (or message digest) is created by applying a cryptographic hashing algorithm to a string (ie, the password in this case). The output is a constant length string (the digest or hash), and if the hash function is well designed and has been properly implemented, it is both computationally infeasible to reverse it to find the plaintext, and infeasible to find another plaintext which produces the same hash value. MD5 and SHA1 are frequently used cryptographic hash functions. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash generated from the user's entry matches the hash stored in the password database, the user is permitted access.
A weak password would be one that was short or which could be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. A strong password would be sufficiently long, random, or otherwise produceable only by the user who chose it, so that 'guessing' for it will require too long a time. The length of time deemed to be 'too long' will vary with the attacker, with the attacker's resources, and with how the importance of the password to the attacker. So a student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time.
'Weak' and 'strong' have only a rather fuzzy meaning in this context, and are very often misused in ways implying considerable precision. But note that a 'strong password' in this sense can still be stolen, tricked, or extorted from a user, or overheard by tapping some communications medium, or copied from a Post-It note. Strong has a severely limited meaning in this context.
Examples of weak passwords include god, sex, password, rover, smile and 12/3/75; most of these would be easily found with a dictionary search attack, and the last is likely some personally significant date readily discoverable with a little research. Examples of stronger passwords would be tastywheeT34, partei@34!, and #23kLLflux. These passwords are not dictionary attackable being in no actual dictionary, use combinations of lower and upper case letters / numbers / symbols, and are sufficiently long to make direct brute force search impractically costly in most circumstances. Note that some systems do not allow symbols like #, @ and ! in passwords; in such cases, another letter or number or two may offer equivalent security. Also note that, having been published in a BambooWeb article as password examples, these are no longer good choices: examples from publicly accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack.
It has been said that the ideal password should be "impossible to remember" and thus unlikely to be guessable. Such passwords are surely stronger, that is, harder for an attacker to discover; but they are more often written down, and so easier to discover by looking under drawers or keyboards or behind pictures or for Post-it notes. Such passwords regularly evoke violations of another bit of common, and wise, advice -- "never write a password down anywhere, no matter what". Requiring 'strong' passwords thus often causes the unintended consequence that many such passwords become insecure in practice by increasing the likelihood that they will be lost, snooped, copied, or otherwise compromised.
Personal mneumonics are sometimes recommended, that is, things that are memorable to you, but not to others, for example, the password 'Iw21wIfvP', a difficult to remember string, derives from 'I Was 21 When I First Visited Paris', possibly easily remembered. However, if your first experience of Paris is important to you, it may be possible to guess this password from knowledge of you. In that case, this would not be a sensible password choice.
|
||||
| View Live Article | This article is from Wikipedia. All text is available under the terms of the GNU Free Documentation License | |
||
