• Home
  • InfoBase
  • Dictionaries
  • Member
  • News
    •     Wiki Advance Search
    中文网站
    Network Dictionary Blog Network Dictionary Wiki Network Dictionary Ask Network Dictionary Groups Tech Shop Network Dictionary

    Password

    From Network Dictionary Wiki

    Jump to: navigation, search

    A password is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user.

    Security and convenience In controlling access to anything, trade-offs are made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password system or policy are affected by several factors addressed below. However, there is generally no one universal best way to set a proper balance between security and convenience for all cases.

    Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site. Others pose modest economic or privacy risk, a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records or control a power transmission grid.

    Factors in the security of a password system The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security. See computer security and computer insecurity. Here are some password management issues that must be considered:

    Rate at which an attacker can try out guessed passwords The rate at which an attacker can submit guessed passwords is a key factor in determining system security. Some systems impose a long time out after a small number (e.g. 3) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords, as long as they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, automobile license plate numbers and default passwords such as admin or 1234.

    Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common, an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value. Lists of common passwords are widely available and can further speed the process. See Password cracking. Passwords that are used to generate cryptographic keys, e.g for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in such systems.

    Form of stored passwords Some computer systems store passwords as plain text. If an attacker gains access to the password file, all passwords are compromised. If some users employ the same password for multiple accounts, those will be compromised as well. More secure systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, whilst validation still remains possible.

    A common cryptographic scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the password and, usually, another value known as a salt. The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of DES was used in early Unix systems.

    The UNIX DES function was iterated to make the hash function slow, to further frustrate automated guessing attacks. A more flexible function for iterated hashed passwords is described in PKCS-5.

    If the hash function is well designed, it is computationally infeasible to reverse it to find the plaintext directly. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to hashed values he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available and the tools try common variations as well. The existence of these dictionary attack tools demonstrates the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk.

    Category: Security