The password is a word or string of characters that is used for user authentication to prove an identity or approval access to gain access to resources (example: access code is a type of password), which should be kept secret from access not allowed.
The use of known ancient passwords. Sentri will challenge those who want to enter the area or approach it to provide a password or tagline , and will only allow a person or group to pass if they know the password. In modern times, usernames and passwords are typically used by people during login that control access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has a password for many purposes: log in to an account, retrieve e-mail, access apps, databases, networks, websites, and even read the morning newspaper online.
Regardless of its name, there is no need for a password to be the actual words; indeed passwords that are not actual words may be more difficult to guess, property desired. Some passwords are made of several words and may be more accurately called passphrases. The terms passcode and keys are sometimes used when pure numerical confidential information, such as a personal identification number (PIN) commonly used for ATM access. Passwords are usually short enough to be easy to remember and type.
Most organizations set a password policy that specifies requirements for the composition and use of passwords, typically dictate the minimum length, the required categories (such as uppercase and lowercase letters, numbers, and special characters), prohibited elements (eg own name, birth date, address, phone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.
Video Password
Histori
The password or tagline has been used since ancient times. Polybius describes the distribution system of the motto in the Roman military as follows:
Their way of ensuring the graduation from the watchword for the night is as follows: from the tenth disciple of each infantry and cavalry class, the camper's guard at the bottom end of the street, a chosen man who is relieved from the duty duty, and he attends to each day as the sun goes down in and received from him the slogan - a wooden tablet with the word written on it - took a leave of absence, and returned to his residence passing on the slogan and tablet before the witness to the commander of the next maniple, who in turn passed it on to the next. All did the same thing until it reached the first manipulation, which was camped near the tribune's tent. The latter is obliged to deliver the tablet to the stand before dark. So that if all that comes out is returned, the tribune knows that the slogan has been given to all manipulation, and has passed all his journeys back to him. If one of them disappears, he makes an inquiry at once, because he knows by the signs of the quarter how the tablet has not returned, and whoever is responsible for the termination meets the penalty he gets.
Passwords in military use evolved to include not only passwords, but passwords and counter-words; for example in the opening days of the Battle of Normandy, the paratroopers from the US 101st Airborne Division used the flash password - presented as a challenge, and answered with the correct response - thunder . Challenges and responses change every three days. The American paratroopers are also famous for using a device known as "cricket" on D-Day instead of the password system as a temporary unique identification method; one metallic click provided by the device in lieu of the password must be met by two clicks as a reply.
Passwords have been used with computers since the early days of computing. CTSS MIT, one of the first time-sharing systems, was introduced in 1961. It has a LOGIN command that asks for a user's password. "After typing PASSWORD, the system will turn off the printing mechanism, if possible, so that users can type their password with privacy." In the early 1970s, Robert Morris developed a login password storage system in a hash form as part of the Unix operating system. This system is based on a Hagelin rotor crypto engine simulation, and first appeared in Unix 6th Edition in 1974. The final version of the algorithm, known as crypt (3), uses 12-bit salts and invokes modified form of DES algorithm 25 times to reduce the risk of pre-calculated dictionary attack.
Maps Password
Choose a password that is safe and easy to remember
The easier the password for owners to remember in general means it will be easier for the attacker to guess. However, a hard-to-remember password can also reduce the security of the system because (a) the user may need to write or store the password electronically, (b) the user will need to reset the password frequently and (c) the user is more likely to reuse the password the same one. Similarly, more stringent requirements for password strength, e.g. "has a mix of uppercase and lowercase letters and digits" or "change monthly", the greater the rate at which users will subvert the system. Others think longer passwords provide more security (e.g. Entropy) than shorter passwords with different characters.
In The Memorability and Password Security , Jeff Yan et al. examine the effect of the suggestions given to the user about a good password choice. They found that passwords based on phrase thinking and taking the first letter of each word were as effective as a password that was chosen naively, and it was as difficult to solve randomly generated passwords.
Combining two or more unrelated words and converting several letters into special characters or numbers is another good method, but a single dictionary word does not. Having a personally-designed algorithm to generate unclear passwords is another good method
However, asking users to remember passwords that consist of "mix of uppercase and lowercase letters" is similar to asking them to remember the bit sequence: it's hard to remember, and only slightly harder to solve it (eg just 128 times more difficult to crack for a word password 7 letters, less if the user only capitalizes one of the letters). Asking users to use "letters and numbers" will often lead to easy-to-guess substitutions such as 'E' -> '3' and 'I' -> '1', a substitute that is very familiar to the attacker. Similarly typing a higher one-line keyboard password is a common trick known by attackers.
In 2013, Google released the list of the most common types of passwords, all of which are considered unsafe as too easy to guess (especially after researching individuals on social media):
- Name of pet, child, family member, or other important person
- Anniversary date and birthday
- Place of Birth
- Favorite vacation names
- Something related to favorite sports team
- The word "password"
Factors in password system security
Password-protected system security depends on several factors. The entire system should be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, ranging from tackling shoulders to more sophisticated physical threats such as video cameras and keyboard sniffer. The password must be chosen so it is difficult for the attacker to guess and it is difficult for an attacker to find using any of the available automated attack schemes. See the power of passwords and computer security for more information.
Currently, it is a common practice for computer systems to hide passwords as they are typed. The purpose of this action is to prevent the observer from reading the password; However, some argue that this practice can cause errors and stress, prompting the user to choose a weak password. Alternatively, users should have the option to show or hide passwords as they type.
Effective access control provisions can force extreme measures against criminals who want to obtain biometric passwords or tokens. Less extreme measures include extortion, blocking of rubber hoses, and side channel attacks.
Some specific password management issues to consider when thinking, selecting, and handling, passwords follow.
Value when attacker can try to guess password
The rate at which an attacker can send a suspected password to the system is a key factor in determining system security. Some systems apply a timeout several seconds after a small number (e.g., Three) failed password entry attempts. In the absence of other vulnerabilities, the system can be effectively secure with relatively simple passwords, if they are well selected and not easy to guess.
Many systems store cryptographic hashes of passwords. If an attacker has access to a hash file, a password guess can be done offline, quickly testing the candidate password against the correct password hash value. In a web-server instance, an online attacker can only guess at the level at which the server will respond, while an off-line attacker (who gains access to a file) can guess at a level limited only by the hardware on which his attacks are running.
The passwords used to generate cryptographic keys (for example, for disk encryption or Wi-Fi security) can also be subject to a high-level guess. A list of common passwords is widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations relies on the use of passwords or passphrases with sufficient complexity, thus making such attacks unfit for attackers. Some systems, such as PGP and WPA Wi-Fi, apply intensive computing-hash to passwords to slow down such attacks. See key stretching.
Limit of password guesses
An alternative to limiting the rate at which an attacker can make a guess on a password is to limit the number of guesses that can be made. Passwords may be disabled, requiring reset, after a small number of consecutive bad allegations (say 5); and the user may need to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making a large number of bad guesses by inserting them between good guesses made by the owner of a legitimate password. Attackers may instead use this knowledge of mitigation to apply denial of service attacks to users by intentionally locking users out of their own devices; the denial of this service could pave the way for attackers to manipulate the situation for their benefit through social engineering.
Form of saved password
Some computer systems store user passwords as plaintext, which is used to compare logon user attempts. If an attacker gains access to such internal passwords, all passwords - and all user accounts - will be compromised. If multiple users use the same password for accounts on different systems, they will also be compromised.
Safer systems store each password in cryptographically protected form, so access to the actual password will still be difficult for reconnaissance gaining internal access to the system, while validation of user access attempts is still possible. The safest ones do not store passwords at all, but one-way derivations, such as polynomial, modulus, or advanced hash functions. Roger Needham finds the current general approach of just storing the "hash" shape of the plaintext password. When a user types a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user entry matches the hash stored in the password database, the user is allowed to access it. The hash value is created by applying a cryptographic hash function to a string consisting of a password sent and, in many implementations, another value known as salt. Salt prevents attackers from easily establishing hash value lists for common passwords and preventing password-shooting attempts from scale across all users. MD5 and SHA1 are often used cryptographic hash functions but are not recommended for password hashing unless used as part of larger constructs as in PBKDF2.
Saved data - sometimes called "password verifier" or "password hash" - often stored in Modular Cryptic Format or RFC 2307 hash format, sometimes in/etc/passwd file or/etc/shadow file.
The primary storage method for passwords is plain text, characterized, characterized and salted, and encrypted reversibly. If an attacker gets access to a password file, then if saved as plain text, there is no need to crack. If it is smoothed but not salted then it is prone to attack rainbow table (which is more efficient than crack). If it is encrypted reversibly then if the attacker gets the decryption key along with the file no crack is required, while if he fails to get the crack key is not possible. So, from the general storage format to the password only when the password has been marinated and hash cracked both as necessary and as possible.
If the cryptographic hash function is well designed, then it is not feasible computing to reverse the function to recover the plaintext password. An attacker can, however, use a widely available tool to try to guess the password. These tools work with possible password hashing and compare the results of each guess with the actual password hash. If an attacker finds a match, they know that their guess is the actual password for the related user. The password hacking tool can operate violently (ie try every possible combination of characters) or by hashing every word from the list; a large list of possible passwords in many languages ââis widely available on the Internet. The existence of a password locking tool allows an attacker to easily recover poorly selected passwords. In particular, attackers can quickly recover short passwords, dictionary words, simple variations on dictionary words or that use predictable patterns. The modified version of the DES algorithm is used as the basis for the password hashing algorithm in the original Unix system. The crypt algorithm uses a 12-bit salt value so that each user hash is unique and repeats the DES algorithm 25 times to make the hash function slower, both actions intended to thwart the automatic guessing attack. User passwords are used as keys to encrypt fixed values. Newer Unix or Unix systems (for example, Linux or BSD systems) use safer password hashing algorithms such as PBKDF2, bcrypt, and scrypt that have large salt and the cost or number of customizable iterations. A poorly designed hash function can make a decent attack even if a strong password is selected. See LM hash for a widely used, and unsafe instance.
Password verification methods over the network
Simple password transmission
Passwords are vulnerable to interception (ie, "peering") when being sent to a machine or authenticating person. If a password is taken as an electrical signal on an insecure physical cable between a user access point and a central system that controls the password database, it will be called by the eavesdropping method. If it is taken as packet data over the Internet, anyone who can watch packets containing login information can lurk with very low detection probabilities.
Email is sometimes used to distribute passwords but this is generally an unsafe method. Since most emails are sent as plaintext, messages containing passwords can be read effortlessly during transport by any eavesdropper. Next, the message will be saved as plaintext on at least two computers: the sender and the receiver. If it passes through an intermediate system during its journey, it may be stored there as well, at least for some time, and can be copied to a backup, cache or history file on one of these systems.
Using client-side encryption will only protect the transmission from the mail-handling system server to the client machine. The previous or next email relation will not be protected and the email may be stored on multiple computers, of course on originating and receiving computers, most often in clear text.
Transmission via encrypted channel
The risk of password interception sent over the Internet can be reduced by, among other approaches, using cryptographic protection. The most widely used is the Transport Layer Security feature (TLS, formerly called SSL) in most recent Internet browsers. Most browsers remind users of TLS/SSL-protected exchange with servers by displaying a closed lock icon, or any other sign, when TLS is used. There are several other techniques used; see cryptography.
Hash-based response methods
Unfortunately, there is a conflict between saved hasheds-passwords and authentication of hash-based responses; the latter requires the client to prove to the server that they know what shared secrets (ie, passwords), and to do this, the server must be able to obtain a shared secret from its stored form. On many systems (including Unix-type systems) that perform remote authentication, shared secrets are usually a hash form and have serious limitations to expose passwords to offline guess attacks. Additionally, when a hash is used as a shared secret, the attacker does not require the original password to authenticate remotely; they just need hash.
Proof of a zero-knowledge password
Instead of transmitting passwords, or transmitting hashes of passwords, a password authentication key agreement system can perform a password check without knowledge, which proves knowledge of passwords without opening them.
Moving one step further, additional systems for key agreements passed with passwords (eg, AMP, B-SPEKE, PAK-Z, SRP-6) avoid conflicts and restrictions on hash-based methods. An additional system allows the client to prove the knowledge of the password to the server, where the server only knows the hashed password (not exact), and where the password is not destroyed necessary to gain access.
Procedures for changing passwords
Typically, the system must provide a way to change the password, either because the user believes that the current password has been (or may have) been compromised, or as a precaution. If a new password is passed to the system in an unencrypted form, security can be lost (eg, via eavesdropping) before a new password can even be installed in the password database and if a new password is given to the compromised employee, only a small amount is obtained. Some websites enter the user-selected password in an unencrypted confirmation e-mail message, with a marked increase in vulnerability.
Identity management systems are increasingly being used to automate the issuance of lost password replacement, a feature called self-service rearrangement. The user identity is verified by asking questions and comparing the previously stored answers (ie when the account is opened).
Some password reset questions ask for personal information that can be found on social media, such as a mother's maiden name. As a result, some security experts suggest making their own questions or giving wrong answers.
Long password life
"Password alert" is a feature of multiple operating systems that forces users to frequently change their passwords (e.g., quarterly, monthly, or even more frequently). Such policies usually provoke user protests and drag the feet as best they can and hostilities. Often there are improvements to people who log in passwords and leave them where they are easy to find, as well as calls to help reset forgotten passwords. Users can use simpler passwords or develop variation patterns on a consistent theme to keep their passwords in mind. Due to these issues, there is some debate as to whether password aging is effective. Changing the password will not prevent abuse in most cases, as abuse is often instantly visible. However, if someone may have access to passwords in several ways, such as sharing a computer or violating a different site, changing the password limit window due to abuse.
Number of users per password
Allocating separate passwords for each system user is preferred to have a single password that legitimate users share from the system, of course from a security point of view. This is partly because users are more willing to notify others (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also less convenient to change as many people need to be notified at the same time, and they make deleting certain user access more difficult, such as on graduation or resignation. Separate logins are also often used for accountability, for example to find out who changed some of the data.
Password security architecture
Common techniques used to improve the security of computer systems that are password protected include:
- Does not display a password on the display screen while it is being inserted or obfuscated when typed using asterisks (*) or bullets (o).
- Leaving passwords of sufficient length. (Some older operating systems, including early versions of Unix and Windows, limit passwords to a maximum of 8 characters, reduce security.)
- Requires users to re-enter their password after a period of inactivity (semi log-off policy).
- Enforce password policies to improve password strength and security.
- Requires a password change periodically.
- Setting selected passwords at random.
- Requires minimum password length.
- Some systems require characters from different character classes in passwords - for example, "must have at least one uppercase and at least one lowercase". However, the all-lowercase password is safer per keystroke than the mixed capitalization password.
- Use password blacklists to block the use of weak and predictable passwords
- Provides an alternative to keyboard entries (e.g., spoken password, or biometric password).
- Requires more than one authentication system, such as two-factor authentication (something the user has and something known to the user).
- Use encrypted tunnels or authenticated key agreements-passwords to prevent access to passwords sent through network attacks
- Limit the number of failures allowed within a certain timeframe (to prevent guessing of recurring passwords). Once the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is susceptible to forms of denial of service attacks.
- Introduces a delay between attempts to file a password to slow down an automatic password guess program.
Some of the more stringent policy enforcement measures could pose a risk of alienating users, which is likely to reduce security.
Reusing password
It is a common practice among computer users to reuse the same password on multiple sites. This presents a substantial security risk, as the attacker only needs to compromise one site to gain access to other sites the victim uses. This problem is compounded by also reusing user names, and by websites requiring email logins, as it allows an attacker to track one user across multiple sites. Reusing passwords can be avoided or minimized by using mnemonic techniques, writing passwords on paper, or using a password manager.
This has been suggested by researchers Redmond Dinei Florencio and Cormac Herley, along with Paul C. van Oorschot from Carleton University, Canada, that password reuse is unavoidable, and that users should reuse passwords for low-security websites contains little personal data and no financial information, for example) and instead focus their efforts on remembering long, complex passwords for some important accounts, such as bank accounts. A similar argument was made by Forbes in not changing the password as many "expert" suggestions, because of the same limitations in human memory.
Write a password on paper
Historically, many security experts have asked people to remember their passwords: "Never write down a password". Recently, many security experts such as Bruce Schneier suggested that people use passwords that are too complicated to memorize, write them down on paper, and store them in a wallet.
The password management software can also store passwords relatively securely, in encrypted files sealed with a single master password.
After death
According to a survey by the University of London, one in ten people now leave their passwords in their will to pass on this important information when they die. One-third of people, according to the poll, agree that their passwords protect data is important enough to be forwarded in their wills.
Two-factor authentication
Two-factor authentication makes passwords more secure. For example, two-factor authentication will send you text messages, e-mails, or alerts via third-party apps every time a login attempt is made.
Password rules
Many websites set certain conditions on passwords their users can choose. These almost always include standard rules such as minimum and maximum lengths, but also often include composition rules such as displaying at least one uppercase and at least one number/symbol. Most recently, the more specific rule is based largely on the 2003 report by the National Institute of Standards and Technology (NIST), written by Bill Burr. It originally proposed the practice of using numbers, unclear characters and capital letters and updating regularly. In the Wall Street Journal article, Burr reported that he regretted this proposal and made a mistake when he recommended it.
According to a rewrite of 2017 from this NIST report, many websites have rules that actually have the opposite effect on the security of their users. This includes complicated composition rules and password changes that are forced after a certain period of time. Although these rules have long been widespread, they have also long been seen as irritating and ineffective by users and cyber security experts. NIST recommends people use longer phrases as passwords (and suggest websites to increase the maximum password length) than hard-to-remember passwords with "illusive complexity" like "pA55w rd". A user is prevented from using the password "password" can only select "Password1" if requested to enter a number and capitalization. Combined with forced password changes, this can cause passwords that are hard to remember but easy to crack.
Paul Grassi, one of the authors of the 2017 NIST report, further elaborates: "Everyone knows that exclamation marks are 1, or one me, or the last character of the password. $ Is S or 5. If we use this well Trick-known , we're not fooling the enemy, we're just fooling the database that stores the password into the user's mind doing something good. "
Hacked password
Trying to break the password by trying as much as possible the time and money allowed is a brute force attack. The related method, more efficient in most cases, is a dictionary attack. In dictionary attack, all words in one or more dictionaries are tested. A list of common passwords is also usually tested.
Password strength is the possibility that passwords can not be guessed or found, and vary with the attack algorithm used. Cryptologists and computer scientists often refer to strength or 'violence' in terms of entropy.
Easy-to-find keywords are called weak or vulnerable ; passwords that are very difficult or impossible to find are considered strong . There are several programs available for password attacks (or even auditing and recovery by system personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (such as those found in Microsoft LANManager systems) to improve efficiency. These programs are sometimes used by system administrators to detect weak passwords submitted by users.
The study of computer production systems has consistently shown that most of all user-selected passwords can be automatically guessed. For example, Columbia University found 22% of user passwords recoverable with little effort. According to Bruce Schneier, checking data from a 2006 phishing attack, 55% of MySpace passwords will be cracked in 8 hours using a commercially available Password recovery tool capable of testing 200,000 passwords per second in 2006. He also reports that the most common single password is password1 , confirming yet another lack of public care in choosing passwords between users. (It retains, on the basis of this data, that the general quality of passwords has increased over the years - for example, the average length of up to eight characters from below seven in the previous survey, and less than 4% are dictionary words.)
Incident
- On July 16, 1998, CERT reported an incident when the attacker encountered 186,126 encrypted passwords. By the time the attacker was found, 47,642 passwords had been cracked.
- In September 2001, following the death of 960 New York employees in the September 11 attacks, Cantor Fitzgerald's financial services company through Microsoft broke the dead employee's password to gain access to the files needed to serve client accounts. Technicians use brute-force attacks, and the interviewer contacts the family to collect personalized information that can reduce the search time for weaker passwords.
- In December 2009, a major website password violation of Rockyou.com occurred causing the release of 32 million passwords. Hackers then leaked a complete list of 32 million passwords (no other identifiable information) to the Internet. The passwords are stored in cleartext in the database and extracted via SQL injection vulnerabilities. The Imperva Application Defense Center (ADC) analyzes the password strength.
- In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last name, username, and password for more than 11,000 registered users in their electronic bookstore. Data leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as hacking groups and other individuals. The purpose of AntiSec is to expose personal, sensitive, and confined information to the world, in whatever way it takes.
- On July 11, 2011, Booz Allen Hamilton, a consulting firm working for the Pentagon, kept their servers hacked by Anonymous and leaked on the same day. "Leaks, nicknamed 'Military Meltdown Monday,' include 90,000 login military personnel - including personnel from USCENTCOM, SOCOM, Marine Corps, Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors." The leaked password is finally washed in SHA1, and then decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel are looking for shortcuts and ways around the password requirements.
Alternative for passwords for authentication
That "password is dead" is a recurring idea in computer security. This often accompanies the argument that switching passwords by means of more secure authentication is important and immediate. These claims have been made by many people since at least 2004. Specifically, Bill Gates, speaking at the 2004 RSA Conference foresees the loss of a password saying "they do not meet the challenge for anything you really want to secure." In 2011 IBM estimated that, within five years, "You will never need a password again." Matt Honan, a journalist at Wired, who was the victim of a hacking incident, wrote in 2012, "The age of the password has ended." Heather Adkins, Information Security manager at Google, said in 2013 that "passwords are done on Google." Eric Grosse, Deputy Director of Security Engineering at Google, stated that "simple passwords and token carriers, such as cookies, are no longer enough to keep users safe." Christopher Mims, writing in the Wall Street Journal said the password "eventually died" and predicted their replacement with device-based authentication. Avivah Litan from Gartner said in 2014 "The passwords have died a few years ago and now they are more than dead." The reasons given often include references to usability as well as password security issues.
Claims that "password is dead" are often used by alternative proponents for passwords, such as biometrics, two-factor authentication or single sign-on. Many initiatives have been launched with the explicit purpose of deleting passwords. These include Microsoft's Cardspace, the Higgins project, the Liberty Alliance, the NSTIC, the FIDO Alliance and the various proposals of Identity 2.0. Jeremy Grant, head of the NSTIC initiative, states "Passwords are a disaster from a security perspective, we want to shoot them dead." The FIDO Alliance promises "passwordless experience" in the 2015 specification document.
Regardless of this prediction and attempts to replace it, the password still appears as the dominant form of authentication on the web. In "The Persistence of Passwords," Cormac Herley and Paul van Oorschot suggest that every effort should be made to end the "false incorrect assumption" that the password has died. They argue that "no other single technology fits into a combination of cost, proximity, and convenience" and that "the password itself is most appropriate for the many scenarios in which they are currently in use."
Website password system
The password is used on the website to authenticate users and is usually maintained on the Web server, which means the browser on the remote system sends the password to the server (by HTTP POST), the server checks the password and resends the relevant content (or access denied messages). This process eliminates the possibility of local reverse engineering because the code used to authenticate passwords does not exist on the local machine.
Transmission of passwords, through a browser, in plaintext means it can be intercepted along the way to the server. Many web authentication systems use SSL to create encrypted sessions between browsers and servers, and usually the underlying meaning of claims of having a "secure website". This is done automatically by the browser and improves session integrity, assuming no end is compromised and the implementation of SSL/TLS being used is of high quality.
See also
References
External links
- Graphic Password: A Survey
- A list of commonly used passwords
- A large collection of statistics about passwords
- Research Paper on Password Cryptography
- International password conference
- Suggested Procedures for Organizations and Administrators (PDF)
- Network Security, Communications and Research Center, University of Plymouth (PDF)
- 2017 update draft to NIST's standard password for U.S. federal government
Source of the article : Wikipedia