A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.
The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword. Sentries would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.
Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.
For the purposes of more compellingly authenticating the identity of one computing device to another, passwords have significant disadvantages (they may be stolen, spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols, which are more difficult to circumvent.
Contents
- 1 Memorization and guessing
- 2 Factors in the security of a password system
- 2.1 Rate at which an attacker can try guessed passwords
- 2.2 Form of stored passwords
- 2.3 Methods of verifying a password over a network
- 2.3.1 Simple transmission of the password
- 2.3.2 Transmission through encrypted channels
- 2.3.3 Hash-based challenge-response methods
- 2.3.4 Zero-knowledge password proofs
- 2.4 Procedures for changing passwords
- 2.5 Password longevity
- 2.6 Number of users per password
- 2.7 Password security architecture
- 2.8 Writing down passwords on paper
- 3 Password cracking
- 3.1 Incidents
- 4 Alternatives to passwords for authentication
- 5 Website password systems
- 6 History of passwords
- 7 See also
- 8 References
- 9 External links
Memorization and guessing
The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.[1] Passwords which are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. «have a mix of uppercase and lowercase letters and digits» or «change it monthly», the greater the degree to which users will subvert the system.[2]
In The Memorability and Security of Passwords,[3] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed «algorithm» for generating obscure passwords is another good method.
However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use «both letters and digits» will often lead to easy-to-guess substitutions such as ‘E’ —> ‘3’ and ‘I’ —> ‘1’, substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
Factors in the security of a password system
The security of a password-protected system depends on several factors. The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes. See password strength, computer security, and computer insecurity.
Nowadays it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to avoid bystanders reading the password. However, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.[4]
Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.[5] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.
Here are some specific password management issues that must be considered in thinking about, choosing, and handling, a password.
Rate at which an attacker can try guessed passwords
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed.[6]
Many systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common, an attacker can work off-line, rapidly testing candidate passwords against the true password’s hash value. Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key stretching.
Form of stored passwords
Some computer systems store user passwords as cleartext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible.
A common approach stores only a «hashed» form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.
A modified version of the DES algorithm was used for this purpose in early Unix systems. The UNIX DES function was iterated to make the hash function equivalent slow, further frustrating automated guessing attacks, and used the password candidate as a key to encrypt a fixed value, thus blocking yet another attack on the password shrouding system. More recent Unix or Unix like systems (e.g., Linux or the various BSD systems) use what most believe to be still more effective protective mechanisms based on MD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent or frustrate attacks on stored password files.[7]
If the hash function is well designed, it will be computationally infeasible to reverse it to directly find a plaintext password. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to the hashed values he can use widely available tools which compare the encrypted outcome of every word from some list, such as a dictionary (many are available on the Internet). Large lists of possible passwords in many languages are widely available on the Internet, as are software programs to try common variations. The existence of these dictionary attack tools constrains user password choices which are intended to resist easy attacks; they must not be findable on such lists. Obviously, words on such lists should be avoided as passwords. Use of a key stretching hash such as PBKDF2 is designed to reduce this risk.
A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed, and insecure, example.[8]
Methods of verifying a password over a network
Various methods have been used to verify submitted passwords in a network setting:
Simple transmission of the password
Passwords are vulnerable to interception (i.e., «snooping») while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packetized data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.
Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it is available without effort during transport to any eavesdropper. Further, the email will be stored on at least two computers as cleartext—the sender’s and the recipient’s. If it passes through intermediate systems during its travels, it will probably be stored on those as well, at least for some time. Attempts to delete an email from all these vulnerabilities may, or may not, succeed; backups or history files or caches on any of several systems may still contain the email. Indeed merely identifying every one of those systems may be difficult. Emailed passwords are generally an insecure method of distribution.
An example of cleartext transmission of passwords is the original Wikipedia website. When you logged into your Wikipedia account, your username and password are sent from your computer’s browser through the Internet as cleartext. In principle, anyone could read them in transit and thereafter log into your account as you; Wikipedia’s servers have no way of distinguishing such an attacker from you. In practice, an unknowably larger number could do so as well (e.g., employees at your Internet Service Provider, at any of the systems through which the traffic passes, etc.). More recently, Wikipedia has offered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS) cryptographically based protocol to eliminate the cleartext transmission. But, because anyone can gain access to Wikipedia (without logging in at all), and then edit essentially all articles, it can be argued that there is little need to encrypt these transmissions as there’s little being protected. Other websites (e.g., banks and financial institutions) have quite different security requirements, and cleartext transmission of anything is clearly insecure in those contexts.
Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in cleartext.
Transmission through encrypted channels
The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using cryptographic protection. The most widely used is the Transport Layer Security (TLS, previously called SSL) feature built into most current Internet browsers. Most browsers alert the user of a TLS/SSL protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use. There are several other techniques in use; see cryptography.
Hash-based challenge-response methods
Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (i.e., password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On many systems (including Unix-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; he only needs the hash.
Zero-knowledge password proofs
Rather than transmitting a password, or transmitting the hash of the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.
Moving a step further, augmented systems for password-authenticated key agreement (e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.
Procedures for changing passwords
Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via wiretapping) even before the new password can even be installed in the password database. And, of course, if the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.
Identity management systems are increasingly used to automate issuance of replacements for lost passwords, a feature called self service password reset. The user’s identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened).
Password longevity
«Password aging» is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often). Such policies usually provoke user protest and foot-dragging at best and hostility at worst. There is often an increase in the people who note down the password and leave it where it can easily be found, as well as helpdesk calls to reset a forgotten password. Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable. Because of these issues, there is some debate[9] as to whether password aging is effective. The intended benefit is mainly that a stolen password will be made ineffective if it is reset; however in many cases, particularly with administrative or «root» accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires. (see rootkit). The other less-frequently cited, and possibly more valid reason is that in the event of a long brute force attack, the password will be invalid by the time it has been cracked. However there is no documented evidence that the policy of requiring periodic changes in passwords increases system security.
Password aging may be required because of the nature of IT systems the password allows access to; if personal data is involved the EU Data Protection Directive is in force. Implementing such a policy, however, requires careful consideration of the relevant human factors. Humans memorize by association, so it is impossible to simply replace one memory with another. Two psychological phenomena interfere with password substitution. «Primacy» describes the tendency for an earlier memory to be retained more strongly than a later one. «Interference» is the tendency of two memories with the same association to conflict. Because of these effects most users must resort to a simple password containing a number that can be incremented each time the password is changed.
Number of users per password
Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer system, a password is usually stored for each user account, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user on most systems must supply a username as well as a password, almost always at account set up time, and periodically thereafter. If the user supplies a password matching the one stored for the supplied username, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the ‘user name’ is typically the account number stored on the bank customer’s card, and the PIN is usually quite short (4 to 6 digits).
Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user’s access more difficult, as for instance on graduation or resignation. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.
Password security architecture
Common techniques used to improve the security of computer systems protected by a password include:
- Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•).
- Allowing passwords of adequate length. (Some legacy operating systems, including early versions[which?] of Unix and Windows, limited passwords to an 8 character maximum,[10][11][12][13] reducing security.)
- Requiring users to re-enter their password after a period of inactivity (a semi log-off policy).
- Enforcing a password policy to increase password strength and security.
- Requiring periodic password changes.
- Assigning randomly chosen passwords.
- Requiring minimum password lengths.
- Some systems require characters from various character classes in a password—for example, «must have at least one uppercase and at least one lowercase letter». However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords.[14]
- Providing an alternative to keyboard entry (e.g., spoken passwords, or biometric passwords).
- Requiring more than one authentication system, such as 2-factor authentication (something you have and something you know).
- Using encrypted tunnels or password-authenticated key agreement to prevent access to transmitted passwords via network attacks
- Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of denial of service attack.
- Introducing a delay between password submission attempts to slow down automated password guessing programs.
Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.
Writing down passwords on paper
Historically, many security experts asked people to memorize their passwords and «Never write down a password». More recently, many security experts such as Bruce Schneier recommend that people use passwords that are too complicated to memorize, write them down on paper, and keep them in a wallet.[15][16][17][18][19][20][21]
Password cracking
Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.
Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically. For example, Columbia University found 22% of user passwords could be recovered with little effort.[22] According to Bruce Schneier, examining data from a 2006 phishing attack, 55% of MySpace passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.[23] He also reported that the single most common password was password1, confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.[24])
Incidents
- On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.[25]
- In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the internet. Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.[26]
- In June, 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-Bookshop. The data was leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.[27]
- On July 11, 2011, Booz Allen Hamilton, a massive American Consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. «The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.»[28] These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.[29]
- On July 18, 2011, Microsoft Hotmail banned the password: «123456.»[30]
Alternatives to passwords for authentication
The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative.[citation needed]
- Single-use passwords. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single use issue has not led to intolerable customer dissatisfaction in this case.
- Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so.
- PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server generated challenge image shown on the user’s screen.
- Access controls based on public key cryptography e.g. ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze)[31] and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk.
- Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration,[32] and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure.
- Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
- Envaulting technology is a password-free way to secure data on e.g. removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user’s access to a network resource.
- Non-text-based passwords, such as graphical passwords or mouse-movement based passwords.[33] Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of letters, digits or special characters. One system requires users to select a series of faces as a password, utilizing the human brain’s ability to recall faces easily.[34] In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access.[35] Another graphical password solution creates a one-time password using a randomly-generated grid of images. Each time the user is required to authenticate, they look for the images that fit their pre-chosen categories and enter the randomly-generated alphanumeric character that appears in the image to form the one-time password.[36][37] So far, graphical passwords are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world. While some believe that graphical passwords would be harder to crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.[citation needed]
- 2D Key (2-Dimensional Key)[38] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[39] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key.
- Cognitive passwords use question and answer cue/response pairs to verify identity.
Website password systems
Passwords are used on websites to authenticate users and are usually maintained on the Web server, meaning the browser on a remote system sends a password to the server (by HTTP POST), the server checks the password and sends back the relevant content (or an access denied message). This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.
Transmission of the password, via the browser, in plaintext means it can be intercepted along its journey to the server. Many web authentication systems use SSL to establish an encrypted session between the browser and the server, and is usually the underlying meaning of claims to have a «secure Web site». This is done automatically by the browser and increases integrity of the session, assuming neither end has been compromised and that the SSL/TLS implementations used are high quality ones.
History of passwords
Passwords or watchwords have been used since ancient times. Polybius describes the system for the distribution of watchwords in the Roman military as follows:
- The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword — that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.[40]
Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the Battle of Normandy, paratroopers of the U.S. 101st Airborne Division used a password — flash — which was presented as a challenge, and answered with the correct response — thunder. The challenge and response were changed every three days. American paratroopers also famously used a device known as a «cricket» on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply.[41]
Passwords have been used with computers since the earliest days of computing. MIT’s CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. «After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.»[42] In 1978, Robert Morris invented the idea of storing login passwords in a hashed form as part of the Unix operating system. His algorithm, known as crypt(3), used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.[43]
See also
- Access Code
- Authentication
- CAPTCHA
- Diceware
- Kerberos (protocol)
- Keyfile
- Passphrase
- Password cracking
- Password fatigue
- Password length parameter
- Password manager
- Password notification e-mail
- Password policy
- Password psychology
- Password strength
- Password synchronization
- Password-authenticated key agreement
- Pre-shared key
- Random password generator
- Rainbow table
- Self-service password reset
- Shibboleth
References
- ^ Vance, Ashlee (January 20, 2010). «If Your Password Is 123456, Just Make It HackMe». The New York Times. http://www.nytimes.com/2010/01/21/technology/21password.html.
- ^ Fred Cohen and Associates
- ^ The Memorability and Security of Passwords
- ^ Lyquix Blog: Do We Need to Hide Passwords?
- ^ news.bbc.co.uk: Malaysia car thieves steal finger
- ^ Top ten passwords used in the United Kingdom
- ^ Password Protection for Modern Operating Systems
- ^ support.microsoft.com
- ^ Schneier on Security discussion on changing passwords
- ^ HP-UX security whitepaper «Passwords are limited to a maximum of eight significant characters»
- ^ «American Express: Strong Credit, Weak Passwords»
- ^ «Ten Windows Password Myths»: «NT dialog boxes … limited passwords to a maximum of 14 characters»
- ^ «You must provide a password between 1 and 8 characters in length»
- ^ «To Capitalize or Not to Capitalize?»
- ^ Bruce Schneier : Crypto-Gram Newsletter May 15, 2001
- ^ «Ten Windows Password Myths»: Myth #7. You Should Never Write Down Your Password
- ^ «Microsoft security guru: Jot down your passwords»
- ^ «The Strong Password Dilemma» by Richard E. Smith: «we can summarize classical password selection rules as follows: The password must be impossible to remember and never written down.»
- ^ «Choosing Random Passwords» by Bob Jenkins
- ^ «The Memorability and Security of Passwords – Some Empirical Results»
- «your password … in a secure place, such as the back of your wallet or purse.»
- ^ «Should I write down my passphrase?»
- ^ Password
- ^ Schneier, Real-World Passwords
- ^ MySpace Passwords Aren’t So Dumb
- ^ «CERT IN-98.03». http://www.cert.org/incident_notes/IN-98.03.html. Retrieved 2009-09-09.
- ^ «Consumer Password Worst Practices». http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf.
- ^ «NATO Hack Attack». http://www.theregister.co.uk/2011/06/24/nato_hack_attack/. Retrieved July 24, 2011.
- ^ «Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack». July 11, 2011. http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack.
- ^ «Military Password Analysis». July 12, 2011. http://blog.imperva.com/2011/07/military-password-analysis.html.
- ^ «Microsoft’s Hotmail Bans 123456». July 18, 2011. http://blog.imperva.com/2011/07/microsofts-hotmail-bans-123456.html.
- ^ eprint.iacr.org
- ^ T Matsumoto. H Matsumotot, K Yamada, and S Hoshino, Impact of artificial ‘Gummy’ Fingers on Fingerprint Systems. Proc SPIE, vol 4677, Optical Security and Counterfeit Deterrence Techniques IV or itu.int/itudoc/itu-t/workshop/security/resent/s5p4.pdf pg 356
- ^ waelchatila.com
- ^ mcpmag.com
- ^ searchsecurity.techtarget.com
- ^ Ericka Chickowski (2010-11-03). «Images Could Change the Authentication Picture». Dark Reading. http://www.darkreading.com/authentication/security/client/showArticle.jhtml?articleID=228200140.
- ^ «Confident Technologies Delivers Image-Based, Multifactor Authentication to Strengthen Passwords on Public-Facing Websites». 2010-10-28. http://www.marketwire.com/press-release/Confident-Technologies-Delivers-Image-Based-Multifactor-Authentication-Strengthen-Passwords-1342854.htm.
- ^ xpreeli.com
- ^ wipo.int
- ^ Polybius on the Roman Military
- ^ Bando, Mark Screaming Eagles: Tales of the 101st Airborne Division in World War II
- ^ CTSS Programmers Guide, 2nd Ed., MIT Press, 1965
- ^ Morris, Robert; Thompson, Ken (1978-04-03). «Password Security: A Case History.». Bell Laboratories. http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps. Retrieved 2011-05-09.
External links
- Large collection of statistics about passwords
- Graphical Passwords: A Survey
- PassClicks, visual passwords
- Centre for Security, Communications and Network Research, University of Plymouth
- Research Papers on Password-based Cryptography
- Procedural Advice for Organisations and Administrators
- Memorability and Security of Passwords – Cambridge University Computer Laboratory study of password memorability vs. security.
«Passcode» redirects here. For the Japanese idol group, see Passcode (group).
A password field in a sign in form.
A password, sometimes called a passcode (for example in Apple devices),[1] is secret data, typically a string of characters, usually used to confirm a user’s identity.[1] Traditionally, passwords were expected to be memorized,[2] but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical.[3] Using the terminology of the NIST Digital Identity Guidelines,[4] the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol,[5] the verifier is able to infer the claimant’s identity.
In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).
Despite its name, a password does not need to be an actual word; indeed, a non-word (in the dictionary sense) may be harder to guess, which is a desirable property of passwords. A memorized secret consisting of a sequence of words or other text separated by spaces is sometimes called a passphrase. A passphrase is similar to a password in usage, but the former is generally longer for added security.[6]
History[edit]
Passwords have been used since ancient times. Sentries would challenge those wishing to enter an area to supply a password or watchword, and would only allow a person or group to pass if they knew the password. Polybius describes the system for the distribution of watchwords in the Roman military as follows:
The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword—that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next to him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.[7]
Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the Battle of Normandy, paratroopers of the U.S. 101st Airborne Division used a password—flash—which was presented as a challenge, and answered with the correct response—thunder. The challenge and response were changed every three days. American paratroopers also famously used a device known as a «cricket» on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply.[8]
Passwords have been used with computers since the earliest days of computing. The Compatible Time-Sharing System (CTSS), an operating system introduced at MIT in 1961, was the first computer system to implement password login.[9][10] CTSS had a LOGIN command that requested a user password. «After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.»[11] In the early 1970s, Robert Morris developed a system of storing login passwords in a hashed form as part of the Unix operating system. The system was based on a simulated Hagelin rotor crypto machine, and first appeared in 6th Edition Unix in 1974. A later version of his algorithm, known as crypt(3), used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.[12]
In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.
Choosing a secure and memorable password[edit]
The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.[13] However, passwords that are difficult to remember may also reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password across different accounts. Similarly, the more stringent the password requirements, such as «have a mix of uppercase and lowercase letters and digits» or «change it monthly», the greater the degree to which users will subvert the system.[14] Others argue longer passwords provide more security (e.g., entropy) than shorter passwords with a wide variety of characters.[15]
In The Memorability and Security of Passwords,[16] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords.
Combining two or more unrelated words and altering some of the letters to special characters or numbers is another good method,[17] but a single dictionary word is not. Having a personally designed algorithm for generating obscure passwords is another good method.[18]
However, asking users to remember a password consisting of a «mix of uppercase and lowercase characters» is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use «both letters and digits» will often lead to easy-to-guess substitutions such as ‘E’ → ‘3’ and ‘I’ → ‘1’, substitutions that are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.[19]
In 2013, Google released a list of the most common password types, all of which are considered insecure because they are too easy to guess (especially after researching an individual on social media):[20]
- The name of a pet, child, family member, or significant other
- Anniversary dates and birthdays
- Birthplace
- Name of a favorite holiday
- Something related to a favorite sports team
- The word «password»
Alternatives to memorization[edit]
Traditional advice to memorize passwords and never write them down has become a challenge because of the sheer number of passwords users of computers and the internet are expected to maintain. One survey concluded that the average user has around 100 passwords.[3] To manage the proliferation of passwords, some users employ the same password for multiple accounts, a dangerous practice since a data breach in one account could compromise the rest. Less risky alternatives include the use of password managers, single sign-on systems and simply keeping paper lists of less critical passwords.[21] Such practices can reduce the number of passwords that must be memorized, such as the password manager’s master password, to a more manageable number.
Factors in the security of a password system[edit]
The security of a password-protected system depends on several factors. The overall system must be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. Passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any of the available automatic attack schemes. See password strength and computer security for more information.[22]
Nowadays, it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to prevent bystanders from reading the password; however, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.[22]
Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.[23] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.
Some specific password management issues that must be considered when thinking about, choosing, and handling, a password follow.
Rate at which an attacker can try guessed passwords[edit]
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts, also known as throttling.[4] : 63B Sec 5.2.2 In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords if they have been well chosen and are not easily guessed.[24]
Many systems store a cryptographic hash of the password. If an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password’s hash value. In the example of a web-server, an online attacker can guess only at the rate at which the server will respond, while an off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running.
Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key stretching.
Limits on the number of password guesses[edit]
An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner.[25] Attackers may conversely use knowledge of this mitigation to implement a denial of service attack against the user by intentionally locking the user out of their own device; this denial of service may open other avenues for the attacker to manipulate the situation to their advantage via social engineering.
Form of stored passwords[edit]
Some computer systems store user passwords as plaintext, against which to compare user logon attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible. The most secure don’t store passwords at all, but a one-way derivation, such as a polynomial, modulus, or an advanced hash function.[15] Roger Needham invented the now-common approach of storing only a «hashed» form of the plaintext password.[26][27] When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, in many implementations, another value known as a salt. A salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users.[28] MD5 and SHA1 are frequently used cryptographic hash functions, but they are not recommended for password hashing unless they are used as part of a larger construction such as in PBKDF2.[29]
The stored data—sometimes called the «password verifier» or the «password hash»—is often stored in Modular Crypt Format or RFC 2307 hash format, sometimes in the /etc/passwd file or the /etc/shadow file.[30]
The main storage methods for passwords are plain text, hashed, hashed and salted, and reversibly encrypted.[31] If an attacker gains access to the password file, then if it is stored as plain text, no cracking is necessary. If it is hashed but not salted then it is vulnerable to rainbow table attacks (which are more efficient than cracking). If it is reversibly encrypted then if the attacker gets the decryption key along with the file no cracking is necessary, while if he fails to get the key cracking is not possible. Thus, of the common storage formats for passwords only when passwords have been salted and hashed is cracking both necessary and possible.[31]
If a cryptographic hash function is well designed, it is computationally infeasible to reverse the function to recover a plaintext password. An attacker can, however, use widely available tools to attempt to guess the passwords. These tools work by hashing possible passwords and comparing the result of each guess to the actual password hashes. If the attacker finds a match, they know that their guess is the actual password for the associated user. Password cracking tools can operate by brute force (i.e. trying every possible combination of characters) or by hashing every word from a list; large lists of possible passwords in many languages are widely available on the Internet.[15] The existence of password cracking tools allows attackers to easily recover poorly chosen passwords. In particular, attackers can quickly recover passwords that are short, dictionary words, simple variations on dictionary words, or that use easily guessable patterns.[32]
A modified version of the DES algorithm was used as the basis for the password hashing algorithm in early Unix systems.[33] The crypt algorithm used a 12-bit salt value so that each user’s hash was unique and iterated the DES algorithm 25 times in order to make the hash function slower, both measures intended to frustrate automated guessing attacks.[33] The user’s password was used as a key to encrypt a fixed value. More recent Unix or Unix-like systems (e.g., Linux or the various BSD systems) use more secure password hashing algorithms such as PBKDF2, bcrypt, and scrypt, which have large salts and an adjustable cost or number of iterations.[34]
A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed and insecure example.[35]
Methods of verifying a password over a network[edit]
Simple transmission of the password[edit]
Passwords are vulnerable to interception (i.e., «snooping») while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packeted data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.
Email is sometimes used to distribute passwords but this is generally an insecure method. Since most email is sent as plaintext, a message containing a password is readable without effort during transport by any eavesdropper. Further, the message will be stored as plaintext on at least two computers: the sender’s and the recipient’s. If it passes through intermediate systems during its travels, it will probably be stored on there as well, at least for some time, and may be copied to backup, cache or history files on any of these systems.
Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in clear text.
Transmission through encrypted channels[edit]
The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using cryptographic protection. The most widely used is the Transport Layer Security (TLS, previously called SSL) feature built into most current Internet browsers. Most browsers alert the user of a TLS/SSL-protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use. There are several other techniques in use; see cryptography.
Hash-based challenge–response methods[edit]
Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge–response authentication; the latter requires a client to prove to a server that they know what the shared secret (i.e., password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On many systems (including Unix-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; they only need the hash.
Zero-knowledge password proofs[edit]
Rather than transmitting a password, or transmitting the hash of the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.
Moving a step further, augmented systems for password-authenticated key agreement (e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the un-hashed password is required to gain access.
Procedures for changing passwords[edit]
Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database and if the new password is given to a compromised employee, little is gained. Some websites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.
Identity management systems are increasingly used to automate the issuance of replacements for lost passwords, a feature called self-service password reset. The user’s identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened).
Some password reset questions ask for personal information that could be found on social media, such as mother’s maiden name. As a result, some security experts recommend either making up one’s own questions or giving false answers.[36]
Password longevity[edit]
«Password aging» is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often). Such policies usually provoke user protest and foot-dragging at best and hostility at worst. There is often an increase in the number of people who note down the password and leave it where it can easily be found, as well as help desk calls to reset a forgotten password. Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable.[37] Because of these issues, there is some debate as to whether password aging is effective.[38] Changing a password will not prevent abuse in most cases, since the abuse would often be immediately noticeable. However, if someone may have had access to the password through some means, such as sharing a computer or breaching a different site, changing the password limits the window for abuse.[39]
Number of users per password[edit]
Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user’s access more difficult, as for instance on graduation or resignation. Separate logins are also often used for accountability, for example to know who changed a piece of data.
Password security architecture[edit]
Common techniques used to improve the security of computer systems protected by a password include:
- Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•).
- Allowing passwords of adequate length. (Some legacy operating systems, including early versions[which?] of Unix and Windows, limited passwords to an 8 character maximum,[40][41][42] reducing security.)
- Requiring users to re-enter their password after a period of inactivity (a semi log-off policy).
- Enforcing a password policy to increase password strength and security.
- Assigning randomly chosen passwords.
- Requiring minimum password lengths.[29]
- Some systems require characters from various character classes in a password—for example, «must have at least one uppercase and at least one lowercase letter». However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords.[43]
- Employ a password blacklist to block the use of weak, easily guessed passwords
- Providing an alternative to keyboard entry (e.g., spoken passwords, or biometric identifiers).
- Requiring more than one authentication system, such as two-factor authentication (something a user has and something the user knows).
- Using encrypted tunnels or password-authenticated key agreement to prevent access to transmitted passwords via network attacks
- Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of denial of service attack.
- Introducing a delay between password submission attempts to slow down automated password guessing programs.
Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.
Password reuse[edit]
It is common practice amongst computer users to reuse the same password on multiple sites. This presents a substantial security risk, because an attacker needs to only compromise a single site in order to gain access to other sites the victim uses. This problem is exacerbated by also reusing usernames, and by websites requiring email logins, as it makes it easier for an attacker to track a single user across multiple sites. Password reuse can be avoided or minimized by using mnemonic techniques, writing passwords down on paper, or using a password manager.[44]
It has been argued by Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, that password reuse is inevitable, and that users should reuse passwords for low-security websites (which contain little personal data and no financial information, for example) and instead focus their efforts on remembering long, complex passwords for a few important accounts, such as bank accounts.[45] Similar arguments were made by Forbes in not change passwords as often as many «experts» advise, due to the same limitations in human memory.[37]
Writing down passwords on paper[edit]
Historically, many security experts asked people to memorize their passwords: «Never write down a password». More recently, many security experts such as Bruce Schneier recommend that people use passwords that are too complicated to memorize, write them down on paper, and keep them in a wallet.[46][47][48][49][50][51][52]
Password manager software can also store passwords relatively safely, in an encrypted file sealed with a single master password.
After death[edit]
According to a survey by the University of London, one in ten people are now leaving their passwords in their wills to pass on this important information when they die. One-third of people, according to the poll, agree that their password-protected data is important enough to pass on in their will.[53]
Multi-factor authentication[edit]
Multi-factor authentication schemes combine passwords (as «knowledge factors») with one or more other means of authentication, to make authentication more secure and less vulnerable to compromised passwords. For example, a simple two-factor login might send a text message, e-mail, automated phone call, or similar alert whenever a login attempt is made, possibly supplying a code that must be entered in addition to a password.[54] More sophisticated factors include such things as hardware tokens and biometric security.
Password rules[edit]
Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g., upper and lower case, numbers, and special characters), prohibited elements (e.g., use of one’s own name, date of birth, address, telephone number). Some governments have national authentication frameworks[55] that define requirements for user authentication to government services, including requirements for passwords.
Many websites enforce standard rules such as minimum and maximum length, but also frequently include composition rules such as featuring at least one capital letter and at least one number/symbol. These latter, more specific rules were largely based on a 2003 report by the National Institute of Standards and Technology (NIST), authored by Bill Burr.[56] It originally proposed the practice of using numbers, obscure characters and capital letters and updating regularly. In a 2017 Wall Street Journal article, Burr reported he regrets these proposals and made a mistake when he recommended them.[57]
According to a 2017 rewrite of this NIST report, many websites have rules that actually have the opposite effect on the security of their users. This includes complex composition rules as well as forced password changes after certain periods of time. While these rules have long been widespread, they have also long been seen as annoying and ineffective by both users and cyber-security experts.[58] The NIST recommends people use longer phrases as passwords (and advises websites to raise the maximum password length) instead of hard-to-remember passwords with «illusory complexity» such as «pA55w+rd».[59] A user prevented from using the password «password» may simply choose «Password1» if required to include a number and uppercase letter. Combined with forced periodic password changes, this can lead to passwords that are difficult to remember but easy to crack.[56]
Paul Grassi, one of the 2017 NIST report’s authors, further elaborated: «Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good.»[58]
Pieris Tsokkis and Eliana Stavrou were able to identify some bad password construction strategies through their research and development of a password generator tool. They came up with eight categories of password construction strategies based on exposed password lists, password cracking tools, and online reports citing the most used passwords. These categories include user-related information, keyboard combinations and patterns, placement strategy, word processing, substitution, capitalization, append dates, and a combination of the previous categories[60]
Password cracking[edit]
Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or ‘hardness’ in terms of entropy.[15]
Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.
Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically. For example, Columbia University found 22% of user passwords could be recovered with little effort.[61] According to Bruce Schneier, examining data from a 2006 phishing attack, 55% of MySpace passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.[62] He also reported that the single most common password was password1, confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.[63])
Incidents[edit]
- On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. At the time the attacker was discovered, 47,642 passwords had already been cracked.[64]
- In September 2001, after the deaths of 658 of their 960 New York employees in the September 11 attacks, financial services firm Cantor Fitzgerald through Microsoft broke the passwords of deceased employees to gain access to files needed for servicing client accounts.[65] Technicians used brute-force attacks, and interviewers contacted families to gather personalized information that might reduce the search time for weaker passwords.[65]
- In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in cleartext in the database and were extracted through a SQL injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.[66]
- In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data was leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.[67]
- On July 11, 2011, Booz Allen Hamilton, a consulting firm that does work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. «The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.»[68] These leaked passwords wound up being hashed in SHA1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.[69]
Alternatives to passwords for authentication[edit]
The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative.[70] A 2012 paper[71] examines why passwords have proved so hard to supplant (despite numerous predictions that they would soon be a thing of the past[72]); in examining thirty representative proposed replacements with respect to security, usability and deployability they conclude «none even retains the full set of benefits that legacy passwords already provide.»
- Single-use passwords. Having passwords that are only valid once makes many potential attacks ineffective. Most users find single-use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single-use issue has not led to intolerable customer dissatisfaction in this case.
- Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so.
- PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server-generated challenge image shown on the user’s screen.
- Access controls based on public-key cryptography e.g. ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze)[73] and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk. The private key may be stored on a cloud service provider, and activated by the use of a password or two-factor authentication.
- Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan,[needs update] for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration,[74] and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure.
- Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve users and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
- Envaulting technology is a password-free way to secure data on removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user’s access to a network resource.
- Non-text-based passwords, such as graphical passwords or mouse-movement based passwords.[75] Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of letters, digits or special characters. One system requires users to select a series of faces as a password, utilizing the human brain’s ability to recall faces easily.[76] In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access.[77] Another graphical password solution creates a one-time password using a randomly generated grid of images. Each time the user is required to authenticate, they look for the images that fit their pre-chosen categories and enter the randomly generated alphanumeric character that appears in the image to form the one-time password.[78][79] So far, graphical passwords are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world. While some believe that graphical passwords would be harder to crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.[citation needed]
- 2D Key (2-Dimensional Key)[80] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[81] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key.
- Cognitive passwords use question and answer cue/response pairs to verify identity.
«The password is dead»[edit]
«The password is dead» is a recurring idea in computer security. The reasons given often include reference to the usability as well as security problems of passwords. It often accompanies arguments that the replacement of passwords by a more secure means of authentication is both necessary and imminent. This claim has been made by numerous people at least since 2004.[72][82][83][84][85][86][87][88]
Alternatives to passwords include biometrics, two-factor authentication or single sign-on, Microsoft’s Cardspace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals.[89][90]
However, in spite of these predictions and efforts to replace them passwords are still the dominant form of authentication on the web. In «The Persistence of Passwords,» Cormac Herley and Paul van Oorschot suggest that every effort should be made to end the «spectacularly incorrect assumption» that passwords are dead.[91]
They argue that «no other single technology matches their combination of cost, immediacy and convenience» and that «passwords are themselves the best fit for many of the scenarios in which they are currently used.»
Following this, Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security.[92][93] Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while every scheme does worse than passwords on deployability. The authors conclude with the following observation: «Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.»
See also[edit]
- Access code (disambiguation)
- Authentication
- CAPTCHA
- Cognitive science
- Combination lock
- Diceware
- Electronic lock
- Kerberos (protocol)
- Keyfile
- Passphrase
- Password cracking
- Password fatigue
- Password length parameter
- Password manager
- Password notification e-mail
- Password policy
- Password psychology
- Password strength
- Password synchronization
- Password-authenticated key agreement
- Personal identification number
- Pre-shared key
- Rainbow table
- Random password generator
- Secure Password Sharing
- Self-service password reset
- Shibboleth
- Usability of web authentication systems
References[edit]
- ^ a b «passcode». YourDictionary. Retrieved 17 May 2019.
- ^ Ranjan, Pratik; Om, Hari (2016-05-06). «An Efficient Remote User Password Authentication Scheme based on Rabin’s Cryptosystem». Wireless Personal Communications. 90 (1): 217–244. doi:10.1007/s11277-016-3342-5. ISSN 0929-6212. S2CID 21912076.
- ^ a b Williams, Shannon (21 Oct 2020). «Average person has 100 passwords — study». NordPass. Retrieved April 28, 2021.
- ^ a b Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017). «NIST Special Publication 800-63-3: Digital Identity Guidelines». National Institute of Standards and Technology (NIST). doi:10.6028/NIST.SP.800-63-3. Retrieved 17 May 2019.
- ^ «authentication protocol». Computer Security Resource Center (NIST). Archived from the original on 17 May 2019. Retrieved 17 May 2019.
- ^ «Passphrase». Computer Security Resource Center (NIST). Retrieved 17 May 2019.
- ^ Polybius on the Roman Military Archived 2008-02-07 at the Wayback Machine. Ancienthistory.about.com (2012-04-13). Retrieved on 2012-05-20.
- ^ Mark Bando (2007). 101st Airborne: The Screaming Eagles in World War II. Mbi Publishing Company. ISBN 978-0-7603-2984-9. Archived from the original on 2 June 2013. Retrieved 20 May 2012.
- ^ McMillan, Robert (27 January 2012). «The World’s First Computer Password? It Was Useless Too». Wired magazine. Retrieved 22 March 2019.
- ^ Hunt, Troy (26 July 2017). «Passwords Evolved: Authentication Guidance for the Modern Era». Retrieved 22 March 2019.
- ^ CTSS Programmers Guide, 2nd Ed., MIT Press, 1965
- ^ Morris, Robert; Thompson, Ken (1978-04-03). «Password Security: A Case History». Bell Laboratories. CiteSeerX 10.1.1.128.1635.
- ^ Vance, Ashlee (2010-01-10). «If Your Password Is 123456, Just Make It HackMe». The New York Times. Archived from the original on 2017-02-11.
- ^ «Managing Network Security». Archived from the original on March 2, 2008. Retrieved 2009-03-31.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link). Fred Cohen and Associates. All.net. Retrieved on 2012-05-20. - ^ a b c d Lundin, Leigh (2013-08-11). «PINs and Passwords, Part 2». Passwords. Orlando: SleuthSayers.
- ^ The Memorability and Security of Passwords Archived 2012-04-14 at the Wayback Machine (pdf). ncl.ac.uk. Retrieved on 2012-05-20.
- ^ Michael E. Whitman; Herbert J. Mattord (2014). Principles of Information Security. Cengage Learning. p. 162. ISBN 978-1-305-17673-7.
- ^ «How to Create a Random Password Generator». PCMAG. Retrieved 2021-09-05.
- ^ Lewis, Dave (2011). Ctrl-Alt-Delete. p. 17. ISBN 978-1471019111. Retrieved 10 July 2015.
- ^ Techlicious / Fox Van Allen @techlicious (2013-08-08). «Google Reveals the 10 Worst Password Ideas | TIME.com». Techland.time.com. Archived from the original on 2013-10-22. Retrieved 2013-10-16.
- ^ Fleishman, Glenn (November 24, 2015). «Write your passwords down to improve safety — A counter-intuitive notion leaves you less vulnerable to remote attack, not more». MacWorld. Retrieved April 28, 2021.
- ^ a b Lyquix Blog: Do We Need to Hide Passwords? Archived 2012-04-25 at the Wayback Machine. Lyquix.com. Retrieved on 2012-05-20.
- ^ Jonathan Kent Malaysia car thieves steal finger Archived 2010-11-20 at the Wayback Machine. BBC (2005-03-31)
- ^ Stuart Brown «Top ten passwords used in the United Kingdom». Archived from the original on November 8, 2006. Retrieved 2007-08-14.. Modernlifeisrubbish.co.uk (2006-05-26). Retrieved on 2012-05-20.
- ^ US patent 8046827
- ^ Wilkes, M. V. Time-Sharing Computer Systems. American Elsevier, New York, (1968).
- ^ Schofield, Jack (10 March 2003). «Roger Needham». The Guardian.
- ^ The Bug Charmer: Passwords Matter Archived 2013-11-02 at the Wayback Machine. Bugcharmer.blogspot.com (2012-06-20). Retrieved on 2013-07-30.
- ^ a b Alexander, Steven. (2012-06-20) The Bug Charmer: How long should passwords be? Archived 2012-09-20 at the Wayback Machine. Bugcharmer.blogspot.com. Retrieved on 2013-07-30.
- ^
«passlib.hash — Password Hashing Schemes» Archived 2013-07-21 at the Wayback Machine. - ^ a b Florencio et al., An Administrator’s Guide to Internet Password Research Archived 2015-02-14 at the Wayback Machine. (pdf) Retrieved on 2015-03-14.
- ^ Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus’ Bl0g Archived 2012-08-30 at the Wayback Machine. Blog.thireus.com (2012-08-29). Retrieved on 2013-07-30.
- ^ a b Morris, Robert & Thompson, Ken (1979). «Password Security: A Case History». Communications of the ACM. 22 (11): 594–597. CiteSeerX 10.1.1.135.2097. doi:10.1145/359168.359172. S2CID 207656012. Archived from the original on 2003-03-22.
- ^ Password Protection for Modern Operating Systems Archived 2016-03-11 at the Wayback Machine (pdf). Usenix.org. Retrieved on 2012-05-20.
- ^ How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases Archived 2006-05-09 at the Wayback Machine. support.microsoft.com (2007-12-03). Retrieved on 2012-05-20.
- ^ «Why You Should Lie When Setting Up Password Security Questions». Techlicious. 2013-03-08. Archived from the original on 2013-10-23. Retrieved 2013-10-16.
- ^ a b Joseph Steinberg (12 November 2014). «Forbes: Why You Should Ignore Everything You Have Been Told About Choosing Passwords». Forbes. Archived from the original on 12 November 2014. Retrieved 12 November 2014.
- ^
«The problems with forcing regular password expiry». IA Matters. CESG: the Information Security Arm of GCHQ. 15 April 2016. Archived from the original on 17 August 2016. Retrieved 5 Aug 2016. - ^ Schneier on Security discussion on changing passwords Archived 2010-12-30 at the Wayback Machine. Schneier.com. Retrieved on 2012-05-20.
- ^ Seltzer, Larry. (2010-02-09) «American Express: Strong Credit, Weak Passwords» Archived 2017-07-12 at the Wayback Machine. Pcmag.com. Retrieved on 2012-05-20.
- ^
«Ten Windows Password Myths» Archived 2016-01-28 at the Wayback Machine: «NT dialog boxes … limited passwords to a maximum of 14 characters» - ^ «You must provide a password between 1 and 8 characters in length». Jira.codehaus.org. Retrieved on 2012-05-20. Archived May 21, 2015, at the Wayback Machine
- ^ «To Capitalize or Not to Capitalize?» Archived 2009-02-17 at the Wayback Machine. World.std.com. Retrieved on 2012-05-20.
- ^ Thomas, Keir (February 10, 2011). «Password Reuse Is All Too Common, Research Shows». PC World. Archived from the original on August 12, 2014. Retrieved August 10, 2014.
- ^ Pauli, Darren (16 July 2014). «Microsoft: You NEED bad passwords and should re-use them a lot». The Register. Archived from the original on 12 August 2014. Retrieved 10 August 2014.
- ^
Bruce Schneier : Crypto-Gram Newsletter Archived 2011-11-15 at the Wayback Machine May 15, 2001 - ^
«Ten Windows Password Myths» Archived 2016-01-28 at the Wayback Machine: Myth #7. You Should Never Write Down Your Password - ^ Kotadia, Munir (2005-05-23) Microsoft security guru: Jot down your passwords. News.cnet.com. Retrieved on 2012-05-20.
- ^
«The Strong Password Dilemma» Archived 2010-07-18 at the Wayback Machine by Richard E. Smith: «we can summarize classical password selection rules as follows:
The password must be impossible to remember and never written down.» - ^ Bob Jenkins (2013-01-11). «Choosing Random Passwords». Archived from the original on 2010-09-18.
- ^
«The Memorability and Security of Passwords – Some Empirical Results» Archived 2011-02-19 at the Wayback Machine (pdf)- «your password … in a secure place, such as the back of your wallet or purse.»
- ^ «Should I write down my passphrase?» Archived 2009-02-17 at the Wayback Machine. World.std.com. Retrieved on 2012-05-20.
- ^ Jaffery, Saman M. (17 October 2011). «Survey: 11% of Brits Include Internet Passwords in Will». Hull & Hull LLP. Archived from the original on 25 December 2011. Retrieved 16 July 2012.
- ^ Two-factor authentication Archived 2016-06-18 at the Wayback Machine
- ^ Improving Usability of Password Management with Standardized Password Policies Archived 2013-06-20 at the Wayback Machine (pdf). Retrieved on 2012-10-12.
- ^ a b Hate silly password rules? So does the guy who created them Archived 2018-03-29 at the Wayback Machine, ZDNet
- ^ The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d! Archived 2017-08-09 at the Wayback Machine, Wall Street Journal
- ^ a b Experts Say We Can Finally Ditch Those Stupid Password Rules Archived 2018-06-28 at the Wayback Machine, Fortune
- ^ NIST’s new password rules – what you need to know Archived 2018-06-28 at the Wayback Machine, Naked Security
- ^ P. Tsokkis and E. Stavrou, «A password generator tool to increase users’ awareness on bad password construction strategies,» 2018 International Symposium on Networks, Computers and Communications (ISNCC), Rome, 2018, pp. 1-5, doi:10.1109/ISNCC.2018.8531061.
- ^ «Password». Archived from the original on April 23, 2007. Retrieved 2012-05-20.
{{cite web}}
: CS1 maint: bot: original URL status unknown (link). cs.columbia.edu - ^ Schneier, Real-World Passwords Archived 2008-09-23 at the Wayback Machine. Schneier.com. Retrieved on 2012-05-20.
- ^ MySpace Passwords Aren’t So Dumb Archived 2014-03-29 at the Wayback Machine. Wired.com (2006-10-27). Retrieved on 2012-05-20.
- ^ «CERT IN-98.03». 1998-07-16. Retrieved 2009-09-09.
- ^ a b Urbina, Ian; Davis, Leslye (November 23, 2014). «The Secret Life of Passwords». The New York Times. Archived from the original on November 28, 2014.
- ^ «Consumer Password Worst Practices (pdf)» (PDF). Archived (PDF) from the original on 2011-07-28.
- ^ «NATO site hacked». The Register. 2011-06-24. Archived from the original on June 29, 2011. Retrieved July 24, 2011.
- ^ «Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack». 2011-07-11. Archived from the original on 2017-07-14.
- ^ «Military Password Analysis». 2011-07-12. Archived from the original on 2011-07-15.
- ^ «The top 12 password-cracking techniques used by hackers». IT PRO. Retrieved 2022-07-18.
- ^ «The Quest to Replace Passwords (pdf)» (PDF). IEEE. 2012-05-15. Archived (PDF) from the original on 2015-03-19. Retrieved 2015-03-11.
- ^ a b «Gates predicts death of the password». CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
- ^ Cryptology ePrint Archive: Report 2005/434 Archived 2006-06-14 at the Wayback Machine. eprint.iacr.org. Retrieved on 2012-05-20.
- ^ T Matsumoto. H Matsumotot; K Yamada & S Hoshino (2002). «Impact of artificial ‘Gummy’ Fingers on Fingerprint Systems». Proc SPIE. Optical Security and Counterfeit Deterrence Techniques IV. 4677: 275. Bibcode:2002SPIE.4677..275M. doi:10.1117/12.462719. S2CID 16897825.
- ^ Using AJAX for Image Passwords – AJAX Security Part 1 of 3 Archived 2006-06-16 at the Wayback Machine. waelchatila.com (2005-09-18). Retrieved on 2012-05-20.
- ^ Butler, Rick A. (2004-12-21) Face in the Crowd Archived 2006-06-27 at the Wayback Machine. mcpmag.com. Retrieved on 2012-05-20.
- ^ graphical password or graphical user authentication (GUA) Archived 2009-02-21 at the Wayback Machine. searchsecurity.techtarget.com. Retrieved on 2012-05-20.
- ^ Ericka Chickowski (2010-11-03). «Images Could Change the Authentication Picture». Dark Reading. Archived from the original on 2010-11-10.
- ^ «Confident Technologies Delivers Image-Based, Multifactor Authentication to Strengthen Passwords on Public-Facing Websites». 2010-10-28. Archived from the original on 2010-11-07.
- ^ User Manual for 2-Dimensional Key (2D Key) Input Method and System Archived 2011-07-18 at the Wayback Machine. xpreeli.com. (2008-09-08) . Retrieved on 2012-05-20.
- ^ Kok-Wah Lee «Methods and Systems to Create Big Memorizable Secrets and Their Applications» Patent US20110055585 Archived 2015-04-13 at the Wayback Machine, WO2010010430. Filing date: December 18, 2008
- ^ Kotadia, Munir (25 February 2004). «Gates predicts death of the password». ZDNet. Retrieved 8 May 2019.
- ^ «IBM Reveals Five Innovations That Will Change Our Lives within Five Years». IBM. 2011-12-19. Archived from the original on 2015-03-17. Retrieved 2015-03-14.
- ^ Honan, Mat (2012-05-15). «Kill the Password: Why a String of Characters Can’t Protect Us Anymore». Wired. Archived from the original on 2015-03-16. Retrieved 2015-03-14.
- ^ «Google security exec: ‘Passwords are dead’«. CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
- ^ «Authentciation at Scale». IEEE. 2013-01-25. Archived from the original on 2015-04-02. Retrieved 2015-03-12.
- ^ Mims, Christopher (2014-07-14). «The Password Is Finally Dying. Here’s Mine». Wall Street Journal. Archived from the original on 2015-03-13. Retrieved 2015-03-14.
- ^ «Russian credential theft shows why the password is dead». Computer World. 2014-08-14. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
- ^ «NSTIC head Jeremy Grant wants to kill passwords». Fedscoop. 2014-09-14. Archived from the original on 2015-03-18. Retrieved 2015-03-14.
- ^ «Specifications Overview». FIDO Alliance. 2014-02-25. Archived from the original on 2015-03-15. Retrieved 2015-03-15.
- ^ «A Research Agenda Acknowledging the Persistence of Passwords». IEEE Security&Privacy. Jan 2012. Archived from the original on 2015-06-20. Retrieved 2015-06-20.
- ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). «The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes». Technical Report — University of Cambridge. Computer Laboratory. Cambridge, UK: University of Cambridge Computer Laboratory. doi:10.48456/tr-817. ISSN 1476-2986. Retrieved 22 March 2019.
- ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). «The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes». 2012 IEEE Symposium on Security and Privacy. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. doi:10.1109/SP.2012.44. ISBN 978-1-4673-1244-8.
External links[edit]
- Graphical Passwords: A Survey
- Large list of commonly used passwords
- Large collection of statistics about passwords
- Research Papers on Password-based Cryptography
- The international passwords conference
- Procedural Advice for Organisations and Administrators (PDF)
- Centre for Security, Communications and Network Research, University of Plymouth (PDF)
- 2017 draft update to NIST password standards for the U.S. federal government
A Password is a word, phrase, or string of characters intended to differentiate an authorized user or process (for the purpose of permitting access) from an unauthorized user, or put another way, a password is used to prove one’s identity, or authorize access to a resource. It’s strongly implied that a password is secret. A password is usually paired with a username or other mechanism to provide authentication.
Password Management & Security: 5 Best Practices
-
Password length of at least 12 characters.
-
Passwords should be unique, complex, and nonsensical, comprised of a mix of nonrepeating letters (upper and lower case), numbers, and symbols that do not contain dictionary words in any language, or have any other guessable context (employee ID, dates, etc.), or sequences from a keyboard like ‘qwerty’ or ‘zxcvb’.
-
Frequently change passwords (a process referred to as password rotation, or password resetting) for privileged passwords. The frequency of password rotation should vary based on the password age, usage, and security importance for privileged credentials. A superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently changed, including after each use—known as one-time-passwords, or (OTPs)—for your most sensitive accounts. On the other hand, the modern best practice for standard account and non-privileged passwords is to pick a strong password, but then leave it unchanged, unless the credential has been potentially compromised or put at risk.
-
Prohibit password re-use. Employees should be forbidden from using the same passwords across their personal and work accounts.
-
If you ever need to share your password, change it when the other person is done with using it.
Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may be even higher, and also include embedded passwords within applications. The sheer number of passwords to manage generally means that, when left to humans, password practices are inadequately followed. Poor password hygiene, in turn, creates opportunities for malware and hacker exploits.
While it’s not humanly possible (at least for most humans) to adhere to best practices in manually creating and changing passwords, password management tools can automate this process.
Password Managers are software applications that enforce best practices for generating and securing passwords (such as by using encryption). By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via form filling. Password managers can be cloud or browser-based, or could reside on the desktop.
Enterprise Password Managers / Privileged Password Managers are a special subset of password managers used to manage credentials for enterprise privileged accounts (root, admin, etc.).
Common Password Attack Techniques
Attackers and malware covet passwords, which allow them to access the desired resource, steal data and identities, and wreak havoc. The combination of poor password practices by users, inadequate password security controls, and automated password cracking hacker tools increase the risk of password theft or exposure. Here are some common credential exploit tactics:
- Brute force attacks
-
Repeatedly testing a password, potentially generating millions of random guesses per second, with combinations of characters (numbers, letters, and symbols) until one matches. The more mathematically complex a password, the more difficult to crack.
- Dictionary attacks
-
Generating password guesses based on words in a dictionary of any language.
- Pass-the-Hash (PtH) attacks
-
In PtH attacks, an attacker doesn’t need to decrypt the hash to obtain a plain text password, once captured, the hash can be passed through for access to lateral systems. A hacker could elevate privileges simply by stealing RDP credentials from a privileged user during an RDP session.
- Pass-the-Ticket (PtT) and Golden Ticket attacks
-
While similar to PtH, these involve copying Kerberos tickets and passing them on for lateral access across systems. A Golden Ticket attack is a variation of Pass-the-Ticket, involving theft of the krbtgt account on a domain controller, which encrypts ticket-granting tickets (TGT).
- Shoulder surfing
-
This attack method involves observing passwords (either electronic or hard copy) as they are being entered.
- Social engineering password attacks
-
These attacks, such as phishing and spear phishing, involve tricking people into revealing information that can be used to gain access.
By implementing password best practices, such as via an automated tool, these attacks can be largely deflected or mitigated.
Learn More — Password Management Best Practices & Solutions
Educalingo cookies are used to personalize ads and get web traffic statistics. We also share information about the use of the site with our social media, advertising and analytics partners.
Download the app
educalingo
As soon as you start feeling like you can’t trust the person and you need to check his phone or have his Facebook password or look through his messages — as soon as that trust barrier is broken — it’s hard to keep a relationship going after that.
Austin Butler
PRONUNCIATION OF PASSWORD
GRAMMATICAL CATEGORY OF PASSWORD
Password is a noun.
A noun is a type of word the meaning of which determines reality. Nouns provide the names for all things: people, objects, sensations, feelings, etc.
WHAT DOES PASSWORD MEAN IN ENGLISH?
Password
A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource, which should be kept secret from those not allowed access. The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines, etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online. A log in window for a website requesting a username and a password. Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase.
Definition of password in the English dictionary
The first definition of password in the dictionary is a secret word, phrase, etc, that ensures admission or acceptance by proving identity, membership, etc. Other definition of password is an action, quality, etc, that gains admission or acceptance. Password is also a sequence of characters used to gain access to a computer system.
WORDS THAT RHYME WITH PASSWORD
Synonyms and antonyms of password in the English dictionary of synonyms
SYNONYMS OF «PASSWORD»
The following words have a similar or identical meaning as «password» and belong to the same grammatical category.
Translation of «password» into 25 languages
TRANSLATION OF PASSWORD
Find out the translation of password to 25 languages with our English multilingual translator.
The translations of password from English to other languages presented in this section have been obtained through automatic statistical translation; where the essential translation unit is the word «password» in English.
Translator English — Chinese
密码
1,325 millions of speakers
Translator English — Spanish
contraseña
570 millions of speakers
English
password
510 millions of speakers
Translator English — Hindi
पासवर्ड
380 millions of speakers
Translator English — Arabic
كَلِمَةُ الْسِّرِ
280 millions of speakers
Translator English — Russian
пароль
278 millions of speakers
Translator English — Portuguese
senha
270 millions of speakers
Translator English — Bengali
পাসওয়ার্ড
260 millions of speakers
Translator English — French
mot de passe
220 millions of speakers
Translator English — Malay
Kata laluan
190 millions of speakers
Translator English — German
Passwort
180 millions of speakers
Translator English — Japanese
パスワード
130 millions of speakers
Translator English — Korean
암호
85 millions of speakers
Translator English — Javanese
Sandi
85 millions of speakers
Translator English — Vietnamese
mật khẩu
80 millions of speakers
Translator English — Tamil
கடவுச்சொல்
75 millions of speakers
Translator English — Marathi
पासवर्ड
75 millions of speakers
Translator English — Turkish
parola
70 millions of speakers
Translator English — Italian
password
65 millions of speakers
Translator English — Polish
hasło
50 millions of speakers
Translator English — Ukrainian
пароль
40 millions of speakers
Translator English — Romanian
parolă
30 millions of speakers
Translator English — Greek
κωδικός πρόσβασης
15 millions of speakers
Translator English — Afrikaans
wagwoord
14 millions of speakers
Translator English — Swedish
lösenord
10 millions of speakers
Translator English — Norwegian
passord
5 millions of speakers
Trends of use of password
TENDENCIES OF USE OF THE TERM «PASSWORD»
The term «password» is very widely used and occupies the 701 position in our list of most widely used terms in the English dictionary.
FREQUENCY
Very widely used
The map shown above gives the frequency of use of the term «password» in the different countries.
Principal search tendencies and common uses of password
List of principal searches undertaken by users to access our English online dictionary and most widely used expressions with the word «password».
FREQUENCY OF USE OF THE TERM «PASSWORD» OVER TIME
The graph expresses the annual evolution of the frequency of use of the word «password» during the past 500 years. Its implementation is based on analysing how often the term «password» appears in digitalised printed sources in English between the year 1500 and the present day.
Examples of use in the English literature, quotes and news about password
6 QUOTES WITH «PASSWORD»
Famous quotes and sentences with the word password.
’21’ was the place, and you went down, and they opened the door. They had a little slit they’d look through, and then you’d murmur the password or whatever it was you had, showed a little ticket, and if they remembered who you were, you went in.
As soon as you start feeling like you can’t trust the person and you need to check his phone or have his Facebook password or look through his messages — as soon as that trust barrier is broken — it’s hard to keep a relationship going after that.
It’s so funny because if you tweet your lyrics and then you hear it in a song next week, you’re like, ‘Hey I had that same idea.’ I’m very secretive with my music. We have to send emails password protected. Because once that song gets out, you aren’t selling that thing.
The kind of true-life writing that is fun to read — that makes an ally of the reader — is the kind that you are so nervous about putting down on paper that you lock the Word file with a secret password and encrypt it — and all of it.
Somebody could send you an office document or a PDF file, and as soon as you open it, it’s a booby trap and the hacker has complete control of your computer. Another major problem is password management. People use the same password on multiple sites, so when the hacker compromises one site, they have your password for everywhere else.
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.
10 ENGLISH BOOKS RELATING TO «PASSWORD»
Discover the use of password in the following bibliographical selection. Books relating to password and brief extracts from same to provide context of its use in English literature.
1
The Spiritual Password: Learn to Unlock Your Spiritual Power
This enlightening book will help you to understand why life may sometimes seem like an uphill struggle, and how to finally find the deep connection with spirit that you have been longing for.
Princess Martha Louise, Elizabeth Nordeng, 2014
2
The Personal Internet Address & Password Organizer
Plenty of room for all those Web site addresses, usernames, passwords, and additional notes. A spiral binding that allows pages to lie flat for ease of use. Handy elastic band closure.
Peter Pauper Press, Inc., 2010
3
Perfect Password: Selection, Protection, Authentication
This book teaches users how to select strong passwords they can easily remember. * Examines the password problem from the perspective of the administrator trying to secure their network * Author Mark Burnett has accumulated and analyzed …
4
High Performance Password Cracking by Implementing Rainbow …
IseCrack demonstrates that very high speed attacks against non-salted hashes are feasible, and highlights the necessity for salted password stores.
Russell Edward Graves, 2008
Now with LAN Manager passwords, instead of trying to crack a password that is
12 characters long, a hacker would just have to crack one 7-character password
and one 5-character password, which is much easier than cracking one …
6
Handbook of Information Security, Threats, Vulnerabilities, …
Hashing addresses the storage issue, but it does not address another weakness,
in a networked environment—it is difficult to transmit the password securely to the
server for verification without it being captured and reused, perhaps in a replay …
7
Mac OS X Leopard: The Missing Manual
Shared folders on the network, Web sites, your iDisk, FTP sites—each requires
another password. Apple has done the world a mighty favor with its Keychain
feature. The concept is brilliant. Whenever you log into Mac OS X and type in
your …
8
Mac OS X Snow Leopard: The Missing Manual: The Missing Manual
Enter your password, and then click OK. (The master password sticks around
once you’ve created it, however, in case you ever want to turn FileVault on again.
) Logout.Options. As you read earlier in this chapter, the usual procedure for …
9
Nancy Drew 10: Password to Larkspur Lane
More information to be announced soon on this forthcoming title from Penguin USA
10
Information Security: Principles and Practice
In this scenario, one weak password on a system—or in the extreme, one weak
password on an entire network—could be enough for the first stage of the attack
to succeed. The bottom line is that one weak password may be one too many.
10 NEWS ITEMS WHICH INCLUDE THE TERM «PASSWORD»
Find out what the national and international press are talking about and how the term password is used in the context of the following news items.
Websites, Please Stop Blocking Password Managers. It’s 2015
Typically, a password manager will generate a long, complex, and—most importantly—unique password, and then store it in an encrypted … «Wired, Jul 15»
A Password Primer For Baby Boomers
Remember the old TV game show Password? If you do, then like me you are probably flummoxed by all of the passwords required to function … «Huffington Post, Jul 15»
Wall Street doesn’t think using your friend’s Netflix account is a …
While some are seeing this information as a big negative, May used the data to tell a different story: Password-sharing isn’t really a problem for … «Business Insider, Jul 15»
Helping The Password-Memory-Challenged
Password Boss said Thursday (July 23) that it is debuting a free password manager and digital wallet “designed for anyone who has trouble … «PYMNTS.com, Jul 15»
Why you never need to give out your password to your work’s help …
Practice the same password security at work as you would anywhere else. If you didn’t initiate the call to the help desk to work on your PC, … «Graham Cluley Security News, Jul 15»
OpenSSH server open to almost unlimited password-guessing bug
A flaw in OpenSSH lets attackers bypass simple limits on the number of password login attempts that can be made per connection. By default … «The Register, Jul 15»
Do You Use Someone Else’s Netflix Password? You’re Not Alone
Nearly two-thirds of Netflix subscribers in the United States and the United Kingdom share their username and password with other people, … «Huffington Post, Jul 15»
How To Password Protect a Folder in Windows 10
Fortunately, in Windows 10, you can tuck those unmentionable plans or files in a secret folder that is password protected, and you can do it … «Laptop Mag, Jul 15»
Password Boss Unveils Free Password Manager and Digital Wallet …
MINNEAPOLIS—(BUSINESS WIRE)—Password Boss today unveiled its company to the consumer market by introducing a new free password … «Business Wire, Jul 15»
What To Do When Your Ex Still Has Your HBO Go (Or Netflix Or …
A few weeks ago, a friend threw me a streaming curveball. She said, “I just found out that my ex-boyfriend’s been using my HBO GO password. «Decider, Jul 15»
REFERENCE
« EDUCALINGO. Password [online]. Available <https://educalingo.com/en/dic-en/password>. Apr 2023 ».
Download the educalingo app
Discover all that is hidden in the words on
What is a password?
A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website. Passwords can vary in length and can contain letters, numbers and special characters.
A password is sometimes called a passphrase, when the password uses more than one word, or a passcode or passkey, when the password uses only numbers, such as a personal identification number (PIN).
A password is a simple application of challenge-response authentication, using a verbal, written or typed code to satisfy the challenge request. The order and variety of characters are often what determines the difficulty, or security strength, of a given password. That is why security systems often require users to create passwords that use at least one capital letter, number and symbol. For a password to be an effective security mechanism, its details must be kept secret. Otherwise, unauthorized users could gain access to the files and securities one is trying to protect.
How to create a secure password
Passwords, when carefully created and protected, increase safe and secure interactions online and in the workplace and can prevent password cracking. To maximize the strength and efficacy of passwords, organizations often establish password policies. These policies are designed to help users create strong passwords and adopt best practices for managing login credentials. Below are a few examples of the practices that contribute to effective password management and creation:
- A minimum length of eight characters and a maximum between 16 to 64 characters. While there is no limit to the length of a password, it does reach a point of diminishing returns.
- Include both uppercase and lowercase letters with case sensitivity. This increases the number of variables at play and, therefore, its difficulty.
- Use at least one number.
- Use at least one special character.
- Avoid using easily guessed elements such as names of children, pet names and birthdays.
- Consider using a password management tool.
Examples of strong passwords
The most important components of strong passwords include sufficient length and a mix of character types. Security experts recommend using passphrases that combine several words and interchange numbers and symbols but are still fairly easy to remember. For example, the phrase «my hobby is buying shoes online» can convert to «Myho88y!$ buYing$HO3$ 0nlin3.»
Security practitioners also recommend using the first letter of each word in a long sentence to create a complex string, again replacing some letters with numbers and symbols. For example, «I spend all my money in the shoe department at Nordstrom because their shoes are great» can convert to «[email protected]@N8T$AG.»
Random password generators and password management tools can also produce complex passwords and remember them for users. Despite vulnerabilities that sometimes surface in password managers, the security community recommends their use.
How to avoid weak passwords
Users and businesses should strive to eliminate common password vulnerabilities that threat actors tend to look for. With social media being more present than ever before, any recognizable personal information can be easily obtained by a persistent cybercriminal. Common weaknesses include:
- Use of the word «password»
- Sequential numbers starting from one, such as «12345678»
- Inclusion of accessible information: birthdates, names of relatives, home addresses and names of pets or children
The SolarWinds hack that emerged in late 2020 showed how cybercriminals can compromise weak passwords. Instead of performing an elaborate attack, the Russia-backed hackers simply guessed the password «solarwinds123,» which proved to be the password to the company’s update server. This allowed the attackers to hide a virus in SolarWinds’ Orion software update, which was later shipped to its clients and compromised them as well.
How often should passwords be changed?
Strong passwords don’t just depend on the code or the individual; they also depend on the expiration date. Corporate password policies often place an expiration date on their users’ passcodes, forcing users to replace old passwords with new ones. Password time periods commonly span 90 to 180 days. Sophisticated password creation systems may also force users to create new passwords that don’t share major similarities to their previous iterations.
Alternative methods to passwords
Passwordless authentication has emerged to help eliminate the complexities and vulnerabilities of traditional passwords. This method is especially beneficial for users on mobile devices or social platforms. Instead of creating a unique password, users receive a one-time authentication code via a text message, email or other messaging alert or service. The code allows users to log in automatically.
Other authentication methods can also be combined with or in place of passwords. These options include:
- Two-factor authentication (2FA) — 2FA requires users to provide two authentication factors that include a combination of something the user knows (like a password or PIN), something the user has (like an ID card, security token or smartphone) and something the user is (like a fingerprint or eye scan).
- Multifactor authentication (MFA) — MFA is similar to 2FA except that it is not limited to only two authentication factors. It also uses something the user knows, something the user has and something the user is.
- Biometrics — Biometric methods authenticates users based on physiological characteristics such as fingerprints or retinal scans or behavioral characteristics such as typing patterns and voice recognition.
- Tokens — A security token is a physical hardware device like a smart card or key fob that a user carries to authorize access to a network.
- One-time passwords (OTP) — An OTP is an automatically generated password that only authenticates a user for a single transaction or session. These passwords change for every use and are typically stored on security tokens.
- Social login — This type of login enables users to authenticate themselves on applications or websites by connecting to social media account such as Facebook or Google instead of using a separate login for each and every site.
This was last updated in July 2021
Continue Reading About password
- Security Think Tank: How to create good passwords and add security layers
- What’s the difference between a password and a PIN?
- Passwordless authentication options and best practices
- For minimum password length, are 14-character passwords sufficient?
- Know how to secure your home network while working from home
Dig Deeper on Identity and access management
-
Why it’s time to expire mandatory password expiration policies
By: Peter Loshin
-
Passkey vs. password: What is the difference?
By: Amanda Hetler
-
Are 14-character minimum-length passwords secure enough?
By: Sharon Shea
-
passphrase
By: Andrew Froehlich