Shopping on line can be easy, simple and save you lots of money. It can also take a lot of your time, frustrate you, and result in unwanted purchases. Now the same can be said for regular high street shopping, but with the vast opportunity presented by the Internet it will pay you to spend a few minutes reading this and understanding how to better optimize your Password shopping experience:

1. Compare - without doubt the biggest advantage that the Password offers shoppers today is the ability to compare thousands of Password at a time. This is a great thing, but not necessarily all the time! Too much can be daunting at times so take advantage of the great comparison sites and where possible let them do the hard work for you.

2. Research - if it has been said it will be on the internet. Ignorance is no longer a justifiable reason for buying the wrong thing. Take the time to research in detail everything that you could possible want to know about

3. Testimonials - don't know anybody that has bought a Password? Wrong! If the Password is good the internet will let you know. Use the Internet as a friend and get testimonials before you buy.

4. Questions - Got a question about Password then search the Forums, FAQ's, Blogs etc. Don't be afraid to ask .....

5. Reputation - Never heard of the company selling Password? Don't worry, no reason why you should know every company in the world, but you know someone that does! Use the internet to find out what people are saying about Password and build up a picture of their reputation for sales, returns, customer service, delivery etc.

6. Returns - still worried that even after all of the above your Password wont be what you want? Check out the returns policy. There is so much competition now that someone, somewhere is bound to offer the terms that you are comfortable with.

7. Feedback - happy with your Password then let people know, after all you are depending on others people input in your buying decision, so why not give a little back.

8. Security - check for the yellow padlock on the Password site before you buy, and the s after http:/ /i.e. https:// = a secure site

9. Contact - got a question about Password, or want to leave a comment then check out the sites contact page. Reputable companies have them and respond.

10. Payment - ready to pay for your Password, then use your credit card or PayPal! Be aware of companies that don't accept them, there may be genuine reasons but given the huge amount of choice you have when buying online there is no reason at all not to buy via credit card or PayPal.



A password is a form of secret authentication data that is used to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly.

The use of passwords goes back to ancient times. Sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password. In modern times, passwords are used to access control to protected computer operating systems, mobile phones, cable TV decoders, Automated Teller Machine (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving email from servers, accessing files, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desirable property), but are generally harder for users to remember (an undesirable property). Note that password is often used to describe what would be more accurately called a passphrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be memory.

Designing a personal, user-friendly password Passwords vary in the degree of public awareness, security protection and frequency of change. The most public, and therefore least secure, password might be one that is given to members of a group, a committee or some other organization. For instance, "publiclibrary", "internet", "AAAfinancecommittee" or "password" are all examples of easily remembered passwords, more or less publicly known passwords.

Less easily attacked passwords might be built from such a basic form, for instance, "smith12nov34street" or "AAAchairpersonSUE". These are slightly more secure, but being relatively easily predictable should not be relied upon to actually block unauthorized access. Effective access control requires passwords which are more difficult to guess or to find automatically, less publicly known (ideally not at all), and these are the subject of much of the rest of this article.

Security and convenience In controlling access to anything, trade-offs are made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password system or policy are affected by several factors addressed below. However, there is generally no one universal 'best' way to set a balance between security and convenience for all cases.

Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site with no confidential data. Others pose modest economic or privacy risk, as for instance a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records, control a power transmission grid, or access to personnel records (consider the risk of identity theft in this instance).

Factors in the security of a password system The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security, without which no password protection can have any significance. Early passwords on many systems were limited to a few numbers, or upper-case-letters, only often in prescribed patterns limiting the number of possible passwords. Most passwords today usually have fewer such limits. User input is determined by several limiting factors: allowable inputs (numbers / letters, non-visual codes and/or other keys / device inputs), minimum & maximum of time required for input, availability of cut / delete / paste / copy for input, and error/noise tolerance errors in the password or communications input. Some system administrators also enforce other limitations on passwords, such as compulsory change schedules, safe-password analysis feedback, and compulsory length / composition limits. See computer security and computer insecurity.

Here are some password management issues that must be considered:

Rate at which an attacker can try out guessed passwords The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a long time out (several seconds) after a small number (e.g., a maximum of three) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords, if they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, an automobile license plate number, and such default passwords as admin, 123456, or letmein.

Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common (to most observers' surprise or despair), an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value.

Lists of common passwords are widely available and can further speed the process. (See Password cracking.) A sufficiently complex password used in a system with a good hash algorithm can defeat such attacks as the work factor imposed on such an attacker can be made impossible in practice. Passwords that are used to generate cryptographic keys, e.g. for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in such systems.

Form of stored passwords Some computer systems store passwords, against which to compare user attempts, as cleartext. If an attacker gains access to such an internal password file, all passwords would be compromised. If some users employ the same password for multiple accounts, those will be compromised as well. More secure systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, while validation still remains possible.

Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it is available without effort during transport to any eavesdropper. Further, it will be stored on at least two computers as cleartext -- the sender's and the receipients's. If it passes through intermediate systems during its travels, it will likely be stored on those as well. Emailed passwords are generally an insecure method of distribution.

A common cryptographically based scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, usually, another value known as a salt (cryptography). The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of Data Encryption Standard was used in early Unix systems.

The UNIX DES function was iterated to make the hash function slow, to further frustrate automated guessing attacks, and used the password candidate as a key to encrypt a fixed value, thus blocking yet another attack on the password hashing system. A more flexible function for iterated hashed passwords is described in PBKDF2.

If the hash function is well designed, it will be computationally infeasible to reverse it to find the plaintext directly. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to hashed values he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available (eg, on the Internet) and the tools try common variations as well. The existence of these dictionary attack tools demonstrates the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk.

A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed example.

Methods of verifying a password over a network A variety of methods have been used to verify passwords in a network setting:

Simple transmission of the password Passwords can be vulnerable to interception (ie, "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by Telephone tapping methods. If it is carried as packetitzed data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.

An example of cleartext transmission of passwords is this website. When you log into your Wikipedia account (if you are not an administrator) your username and password are sent from your computer through the Internet via cleartext. Anyone can read them in transit and potentially log into your account. But because anyone can gain access to the site—without logging in—there is little need to encrypt transmissions.

Another example of transmission vulnerability is email. Emailed passwords may be read by anyone with access to the transmission medium. Using client-side encryption will only protect transmission from the POP server to the client. Previous or subsequent relays of the email will not be protected and the email will be stored on multiple computers in cleartext.

Transmission through encrypted channels The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use. See cryptography for other ways in which the passing of information can be made more secure.

Hash-based challenge-response methods Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (ie, password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On Unix-type systems doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks.

Zero-knowledge password proofs Rather than transmitting the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.

Moving a step further, augmented systems for password-authenticated key agreement (e.g. Authentication and key agreement via Memorable Passwords, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods; An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.

Procedures for changing passwords Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wiretapping) even before the new password can even be installed in the password database. If the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.

Identity management systems are increasingly used to automate issuance of replacements for lost passwords, a feature called self service password reset. The user's identity is verified by asking questions and comparing the answers to ones previously stored (ie, at account initialization). Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be relatively easily guessed, determined by research, or obtained through social engineering (computer security), and so this is less than reliable as a verification technique. While many users have been trained never to reveal a password, few consider the name of their favorite movie to require similar care.

Password longevity "Password aging" is a feature of some operating systems which forces users to change passwords frequently (eg, quarterly, monthly or even more often), thus ensuring that a stolen password will become unusable more or less quickly. Most users are not so familiar with passwords and computers as to be comfortable with this, so such policies usually earn some protest and foot-dragging at best and hostility at worst. These features are therefore not always used. In any case, the security benefits are limited because attackers often exploit a password as soon as it is compromised. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires (one example of this is a rootkit).

Forcing password change too frequently may make users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse an earlier password, which may negate any added security benefit. Implementing such a policy requires careful consideration of the relevant human factors.

Number of users per password Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer security, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords).A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits).

Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.

Design of the protected software Common techniques used to improve the security of software systems protected by a password include:



Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security.Be safe

Factors in the security of an individual password Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed automatically, and still more with some individual research regarding a particular user. Password strength is the likelihood that a password cannot be guessed or discovered by an Authentication person or computer. Passwords easily guessed are termed weak or vulnerable; passwords very difficult or impossible to guess are considered strong.

Alternatives to passwords for access control The numerous ways in which reusable passwords can be compromised has prompted the development of other techniques. Unfortunately, few of them have become universally available for users seeking a more secure alternative.



Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they utilize images instead of Plain text. In many implementations, the user is required to pick from a series of images in the correct sequence in order to gain access.

While some believe that graphical passwords would be harder to Password cracking, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.

Website password systems Passwords are used on websites to authenticate users and are usually server-side, meaning the browser sends the password to the server (by HTTP POST), the server checks the password and sends back the relevant content (or an access denied message). This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.

The transmission of the password through the browser in plaintext means it can be intercepted along its journey to the server. Most web authentication systems use SSL to establish an encrypted session between the browser and the server. This is done automatically by the browser and ensures integrity of the session.

So-called website password and membership management systems often involve the use of Java (programming language) or JavaScript code existing on the client side (meaning the visitor's web browser) HTML source code (for example, AuthPro). Drawbacks to such systems are the relative ease in bypassing or circumventing the protection by switching off JavaScript and Meta redirects in the browser, thereby gaining access to the protected web page. Others take advantage of server-side scripting languages such as Active Server Pages or PHP to authenticate users on the server before delivering the source code to the browser. Popular systems such as Sentry Login and Password Sentry take advantage of technology in which web pages are protected using such scripting language code snippets placed in front of the HTML code in the web page source saved in the appropriate extension on the server, such as .asp or .php. For additional security, many of the larger websites, such as Yahoo and Google, use the Python (programming language) programming language for controlling and maintaining secrecy of the pages they dynamically serve to the browser and completely obfuscate any reference to file names in the URL that appears in the address window of the browser. False security It is customary to design password-verification systems such that the user cannot see what he/she types: instead of echoing the characters typed, a series of question marks or asterisks is displayed.This may have been a good idea once—in the days of UNIX time-sharing systems, where users talked to a computer via terminals, or in terminals or computers shared by many users, as in libraries, where it is actually possible for someone to look over the user's shoulder—but it has significant disadvantages. Most importantly, if a person makes a typing mistake once, he/she is likely to make it twice, unless he/she can actually see what characters were typed: muscles tend to repeat themselves. In the worst case, this can happen when the user is initially creating a password and is required to type it twice. A person who twice typed a password that is different from the intended one will never be able to use it: this is a common reason for a user to get an "invalid password" error every time he/she tries to log in. Unfortunately, this a common occurrence, and it is an occurrence that is an inevitable result of misguided design principles.

Password cracking Attempting to Password cracking passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested.

There are several programs available for password auditing and recovery such as L0phtCrack, John the Ripper, and Cain (software); some of which use password design vulnerabilities (as in the Microsoft LANManager system) to increase efficiency. Some are useful to system administrators as any password which can be found using one of these programs is most definitely a weak password and should be rejected as an unacceptable password choice.

According to Bruce Schneier, the most commonly used password is password1. http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300

History of passwords Passwords or watchwords have been used since ancient times. Polybius describes the system for distribution watchwords in the Military of ancient Rome as follows: The way in which they secure the passing round of the watchword for the night is as follows: from the tenth Maniple (military unit) of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword - that is a wooden tablet with the word inscribed on it - takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits. http://ancienthistory.about.com/library/bl/bl_text_polybius6.htm

Passwords have been used with computers since the earliest days of computing. MIT's CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy." CTSS Programmers Guide, 2nd Ed., 1965 Robert Morris (cryptographer) invented the idea of storing login passwords in a hashed form as part of the Unix operating system. His algorithm, know as crypt (Unix), used a 12-bit salt (cryptography) and invoked a modified form of the Data Encryption Standard algorithm 25 times to reduce the risk of dictionary attacks.

See also

References

External links

A password is a form of secret authentication data that is used to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly.

The use of passwords goes back to ancient times. Sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password. In modern times, passwords are used to access control to protected computer operating systems, mobile phones, cable TV decoders, Automated Teller Machine (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving email from servers, accessing files, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desirable property), but are generally harder for users to remember (an undesirable property). Note that password is often used to describe what would be more accurately called a passphrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be memory.

Designing a personal, user-friendly password Passwords vary in the degree of public awareness, security protection and frequency of change. The most public, and therefore least secure, password might be one that is given to members of a group, a committee or some other organization. For instance, "publiclibrary", "internet", "AAAfinancecommittee" or "password" are all examples of easily remembered passwords, more or less publicly known passwords.

Less easily attacked passwords might be built from such a basic form, for instance, "smith12nov34street" or "AAAchairpersonSUE". These are slightly more secure, but being relatively easily predictable should not be relied upon to actually block unauthorized access. Effective access control requires passwords which are more difficult to guess or to find automatically, less publicly known (ideally not at all), and these are the subject of much of the rest of this article.

Security and convenience In controlling access to anything, trade-offs are made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password system or policy are affected by several factors addressed below. However, there is generally no one universal 'best' way to set a balance between security and convenience for all cases.

Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site with no confidential data. Others pose modest economic or privacy risk, as for instance a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records, control a power transmission grid, or access to personnel records (consider the risk of identity theft in this instance).

Factors in the security of a password system The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security, without which no password protection can have any significance. Early passwords on many systems were limited to a few numbers, or upper-case-letters, only often in prescribed patterns limiting the number of possible passwords. Most passwords today usually have fewer such limits. User input is determined by several limiting factors: allowable inputs (numbers / letters, non-visual codes and/or other keys / device inputs), minimum & maximum of time required for input, availability of cut / delete / paste / copy for input, and error/noise tolerance errors in the password or communications input. Some system administrators also enforce other limitations on passwords, such as compulsory change schedules, safe-password analysis feedback, and compulsory length / composition limits. See computer security and computer insecurity.

Here are some password management issues that must be considered:

Rate at which an attacker can try out guessed passwords The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a long time out (several seconds) after a small number (e.g., a maximum of three) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords, if they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, an automobile license plate number, and such default passwords as admin, 123456, or letmein.

Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common (to most observers' surprise or despair), an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value.

Lists of common passwords are widely available and can further speed the process. (See Password cracking.) A sufficiently complex password used in a system with a good hash algorithm can defeat such attacks as the work factor imposed on such an attacker can be made impossible in practice. Passwords that are used to generate cryptographic keys, e.g. for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in such systems.

Form of stored passwords Some computer systems store passwords, against which to compare user attempts, as cleartext. If an attacker gains access to such an internal password file, all passwords would be compromised. If some users employ the same password for multiple accounts, those will be compromised as well. More secure systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, while validation still remains possible.

Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it is available without effort during transport to any eavesdropper. Further, it will be stored on at least two computers as cleartext -- the sender's and the receipients's. If it passes through intermediate systems during its travels, it will likely be stored on those as well. Emailed passwords are generally an insecure method of distribution.

A common cryptographically based scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, usually, another value known as a salt (cryptography). The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of Data Encryption Standard was used in early Unix systems.

The UNIX DES function was iterated to make the hash function slow, to further frustrate automated guessing attacks, and used the password candidate as a key to encrypt a fixed value, thus blocking yet another attack on the password hashing system. A more flexible function for iterated hashed passwords is described in PBKDF2.

If the hash function is well designed, it will be computationally infeasible to reverse it to find the plaintext directly. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to hashed values he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available (eg, on the Internet) and the tools try common variations as well. The existence of these dictionary attack tools demonstrates the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk.

A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed example.

Methods of verifying a password over a network A variety of methods have been used to verify passwords in a network setting:

Simple transmission of the password Passwords can be vulnerable to interception (ie, "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by Telephone tapping methods. If it is carried as packetitzed data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.

An example of cleartext transmission of passwords is this website. When you log into your Wikipedia account (if you are not an administrator) your username and password are sent from your computer through the Internet via cleartext. Anyone can read them in transit and potentially log into your account. But because anyone can gain access to the site—without logging in—there is little need to encrypt transmissions.

Another example of transmission vulnerability is email. Emailed passwords may be read by anyone with access to the transmission medium. Using client-side encryption will only protect transmission from the POP server to the client. Previous or subsequent relays of the email will not be protected and the email will be stored on multiple computers in cleartext.

Transmission through encrypted channels The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use. See cryptography for other ways in which the passing of information can be made more secure.

Hash-based challenge-response methods Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (ie, password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On Unix-type systems doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks.

Zero-knowledge password proofs Rather than transmitting the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.

Moving a step further, augmented systems for password-authenticated key agreement (e.g. Authentication and key agreement via Memorable Passwords, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods; An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.

Procedures for changing passwords Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wiretapping) even before the new password can even be installed in the password database. If the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.

Identity management systems are increasingly used to automate issuance of replacements for lost passwords, a feature called self service password reset. The user's identity is verified by asking questions and comparing the answers to ones previously stored (ie, at account initialization). Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be relatively easily guessed, determined by research, or obtained through social engineering (computer security), and so this is less than reliable as a verification technique. While many users have been trained never to reveal a password, few consider the name of their favorite movie to require similar care.

Password longevity "Password aging" is a feature of some operating systems which forces users to change passwords frequently (eg, quarterly, monthly or even more often), thus ensuring that a stolen password will become unusable more or less quickly. Most users are not so familiar with passwords and computers as to be comfortable with this, so such policies usually earn some protest and foot-dragging at best and hostility at worst. These features are therefore not always used. In any case, the security benefits are limited because attackers often exploit a password as soon as it is compromised. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires (one example of this is a rootkit).

Forcing password change too frequently may make users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse an earlier password, which may negate any added security benefit. Implementing such a policy requires careful consideration of the relevant human factors.

Number of users per password Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer security, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords).A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits).

Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.

Design of the protected software Common techniques used to improve the security of software systems protected by a password include:



Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security.Be safe

Factors in the security of an individual password Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed automatically, and still more with some individual research regarding a particular user. Password strength is the likelihood that a password cannot be guessed or discovered by an Authentication person or computer. Passwords easily guessed are termed weak or vulnerable; passwords very difficult or impossible to guess are considered strong.

Alternatives to passwords for access control The numerous ways in which reusable passwords can be compromised has prompted the development of other techniques. Unfortunately, few of them have become universally available for users seeking a more secure alternative.



Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they utilize images instead of Plain text. In many implementations, the user is required to pick from a series of images in the correct sequence in order to gain access.

While some believe that graphical passwords would be harder to Password cracking, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.

Website password systems Passwords are used on websites to authenticate users and are usually server-side, meaning the browser sends the password to the server (by HTTP POST), the server checks the password and sends back the relevant content (or an access denied message). This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.

The transmission of the password through the browser in plaintext means it can be intercepted along its journey to the server. Most web authentication systems use SSL to establish an encrypted session between the browser and the server. This is done automatically by the browser and ensures integrity of the session.

So-called website password and membership management systems often involve the use of Java (programming language) or JavaScript code existing on the client side (meaning the visitor's web browser) HTML source code (for example, AuthPro). Drawbacks to such systems are the relative ease in bypassing or circumventing the protection by switching off JavaScript and Meta redirects in the browser, thereby gaining access to the protected web page. Others take advantage of server-side scripting languages such as Active Server Pages or PHP to authenticate users on the server before delivering the source code to the browser. Popular systems such as Sentry Login and Password Sentry take advantage of technology in which web pages are protected using such scripting language code snippets placed in front of the HTML code in the web page source saved in the appropriate extension on the server, such as .asp or .php. For additional security, many of the larger websites, such as Yahoo and Google, use the Python (programming language) programming language for controlling and maintaining secrecy of the pages they dynamically serve to the browser and completely obfuscate any reference to file names in the URL that appears in the address window of the browser. False security It is customary to design password-verification systems such that the user cannot see what he/she types: instead of echoing the characters typed, a series of question marks or asterisks is displayed.This may have been a good idea once—in the days of UNIX time-sharing systems, where users talked to a computer via terminals, or in terminals or computers shared by many users, as in libraries, where it is actually possible for someone to look over the user's shoulder—but it has significant disadvantages. Most importantly, if a person makes a typing mistake once, he/she is likely to make it twice, unless he/she can actually see what characters were typed: muscles tend to repeat themselves. In the worst case, this can happen when the user is initially creating a password and is required to type it twice. A person who twice typed a password that is different from the intended one will never be able to use it: this is a common reason for a user to get an "invalid password" error every time he/she tries to log in. Unfortunately, this a common occurrence, and it is an occurrence that is an inevitable result of misguided design principles.

Password cracking Attempting to Password cracking passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested.

There are several programs available for password auditing and recovery such as L0phtCrack, John the Ripper, and Cain (software); some of which use password design vulnerabilities (as in the Microsoft LANManager system) to increase efficiency. Some are useful to system administrators as any password which can be found using one of these programs is most definitely a weak password and should be rejected as an unacceptable password choice.

According to Bruce Schneier, the most commonly used password is password1. http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300

History of passwords Passwords or watchwords have been used since ancient times. Polybius describes the system for distribution watchwords in the Military of ancient Rome as follows: The way in which they secure the passing round of the watchword for the night is as follows: from the tenth Maniple (military unit) of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword - that is a wooden tablet with the word inscribed on it - takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits. http://ancienthistory.about.com/library/bl/bl_text_polybius6.htm

Passwords have been used with computers since the earliest days of computing. MIT's CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy." CTSS Programmers Guide, 2nd Ed., 1965 Robert Morris (cryptographer) invented the idea of storing login passwords in a hashed form as part of the Unix operating system. His algorithm, know as crypt (Unix), used a 12-bit salt (cryptography) and invoked a modified form of the Data Encryption Standard algorithm 25 times to reduce the risk of dictionary attacks.

See also

References

External links

Free Secure Password Generator - Random Passwords.
Password security is a real problem - all too often people use passwords that are too short, easily guessed or use the same password for multiple uses!

Passwords
When LSE arranges subscriptions to electronic resources it signs a license agreement which defines the terms and conditions of use. Important notice for users of Electronic ...

Password
Corporate Information and Computing Services

University of Liverpool - The Electronic Library
The University of Liverpool Library General Electronic Resources and password information ... Passwords. Most online library resources require no username and password to access ...

All about Passwords - Computing Services - University of Liverpool
All you need to know about passwords, password ageing and changing your password ... All about Passwords. All you need to know about passwords, password ageing and changing your ...

BBC NEWS | Magazine | What makes a good password?
We are leaving ourselves open to fraud online because of the passwords we use, says a campaign group. So what makes a good password?

PASSWORD
PASSWORD: Pest and disease mAnagement System Supporting Winter Oilseed Rape Decisions Home PASSWORD philosophy DSS elements: Pests Phoma

Passwords :Electronic resources :King's College London
Passwords for Electronic Resources ... These web pages are for the use of authorised King's users. To access these webpages you will need to login with your King's email username ...

password from FOLDOC
password < security > An arbitrary string of characters chosen by a user or system administrator and used to authenticate the user when he attempts to log on, in order to prevent ...

Passwords - Information Systems Services
Password Security. Passwords are important for your security. Your password:. - is 'key' to your account and your data. - is your secret - do NOT share your password.

 

Password



 
Copyright © 2008 Hintcenter.com - All rights reserved.
Home | Terms of Use | Privacy Policy
All Trademarks belong to their repective owners. Many aspects of this page are used under
commercial commons license from Yahoo!