Password Topics

• course passwords
• personal identification number
• disk encryption
• relevant system
• cryptographic keys
• e mail
• computer accounts
• typical computer
• article one
• watchword
• passcode
• secret information
• computer user
• attacker
• insecurity
• computer security
• access control
• number 1
• atm
• keyboard

Related Images

Source

Source

Source

Source

del.icio.us Tags

• security
• authentication
• password
• cryptography
• wikipedia
• identity
• computing
• currently_reading
• prereg
• articles
• cracking
• passwords
• senhas
• isd
• imported
• -webstuff-

Password, Password

Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword.

A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.

The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

For instance, "publiclibrary", "internet", "financecommittee" or "password" are all examples of easily remembered passwords, more or less publicly knowable passwords.

Effective access control requires passwords which are more difficult to guess or to find automatically, less publicly knowable (ideally not at all), and these are the subject of much of the rest of this article. One method of creating passwords that are memorable, but harder to attack successfully is to use selective substitution of numbers for letters, e.g. 'I' is replaced by '1', 'E' by '3' etc. This becomes even more secure if the numbers are 'shifted' on the keyboard. In this instance, the number '1' might be replaced by '!', assuming '!' is a permitted character in passwords on the relevant system.

And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes. See password strength, computer security, and computer insecurity.

Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed.

Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA apply a computation-intensive hash to the password to slow such attacks. See key strengthening.

If some users employ the same password for accounts on different systems, those will be compromised as well.

The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.

The UNIX DES function was iterated to make the hash function equivalent slow, further frustrating automated guessing attacks, and used the password candidate as a key to encrypt a fixed value, thus blocking yet another attack on the password shrouding system. More recent Unix or Unix like systems (eg, Linux or the various BSD systems) use what most believe to be still more effective protective mechanisms based on MD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent or frustrate attacks on stored password files Password Protection for Modern Operating Systems.

However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to the hashed values he can use widely available tools which compare the encrypted outcome of every word from some list, such as a dictionary (many are available on the Internet). Large lists of possible passwords in many languages are widely available on the Internet, as are software programs to try common variations. The existence of these dictionary attack tools constrains user password choices which are intended to resist easy attacks; they must not be findable on such lists. Obviously, words on such lists should be avoided as passwords. Use of a key stretching hash such as PBKDF2 is designed to reduce this risk.

If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packetized data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.

If it passes through intermediate systems during its travels, it will likely be stored on those as well, at least for some time. Attempts to delete an email from all these vulnerabilities may, or may not, succeed; backups or history files or caches on any of several systems may still contain the email. Indeed merely identifying every one of those systems may be difficult. Emailed passwords are generally an insecure method of distribution.

When you logged into your Wikipedia account, your username and password are sent from your computer's browser through the Internet as cleartext. In principle, anyone could read them in transit and thereafter log into your account as you; Wikipedia's servers have no way of distinguishing such an attacker from you. In practice, an unknowably larger number could do so as well (eg, employees at your Internet Service Provider, at any of the systems through which the traffic passes, etc). More recently, Wikipedia has offered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS) cryptographically based protocol to eliminate the cleartext transmission. But, because anyone can gain access to Wikipedia (without logging in at all), and then edit essentially all articles, it can be argued that there is little need to encrypt these transmissions as there's little being protected. Other websites (eg, banks and financial institutions) have quite different security requirements, and cleartext transmission of anything is clearly insecure in those contexts.

On many systems (including Unix-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; he only needs the hash.

And, of course, if the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.

The user's identity is verified by asking questions and comparing the answers to ones previously stored (ie, when the account was opened). Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be relatively easily guessed by an attacker, determined by low effort research, or obtained through social engineering, and so this is less than fully satisfactory as a verification technique. While many users have been trained never to reveal a password, few consider the name of their pet or favorite movie to require similar care.

Such policies usually provoke user protest and foot-dragging at best and hostility at worst. Users may develop simple variation patterns to keep their passwords memorable. In any case, the security benefits are distinctly limited, if worthwhile, because attackers often exploit a password as soon as it is compromised, which will likely be some time before change is required. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires. (see rootkit). Implementing such a policy requires careful consideration of the relevant human factors.

If the user supplies a password matching the one stored for the supplied username, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the 'user name' is typically the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits).

This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult, as for instance on graduation or resignation. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.

A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.

Passwords easily discovered are termed weak or vulnerable ; passwords very difficult or impossible to discover are considered strong . There are several programs available for password attack (or even auditing and recovery by systems personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.

For example, Columbia University found 22% of user passwords could be recovered with little effort.

This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.

Others take advantage of server-side scripting languages such as ASP or PHP to authenticate users on the server before delivering the source code to the browser. Popular systems such as Sentry Login and Password Sentry take advantage of technology in which web pages are protected using such scripting language code snippets placed in front of the HTML code in the web page source saved in the appropriate extension on the server, such as .asp or .php.

The challenge and response were changed periodically. American paratroopers also famously used a device known as a "cricket" on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply. Bando, Mark Screaming Eagles: Tales of the 101st Airborne Division in World War II Passwords have been used with computers since the earliest days of computing. MIT's CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy." CTSS Programmers Guide, 2nd Ed., 1965 Robert Morris invented the idea of storing login passwords in a hashed form as part of the Unix operating system. His algorithm, know as crypt, used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of dictionary attacks.

Source: Wikipedia > Password