- Great Painters
- Accounting
- Fundamentals of Law
- Marketing
- Shorthand
- Concept Cars
- Videogames
- The World of Sports

- Blogs
- Free Software
- Google
- My Computer

- PHP Language and Applications
- Wikipedia
- Windows Vista

- Education
- Masterpieces of English Literature
- American English

- English Dictionaries
- The English Language

- Medical Emergencies
- The Theory of Memory
- The Beatles
- Dances
- Microphones
- Musical Notation
- Music Instruments
- Batteries
- Nanotechnology
- Cosmetics
- Diets
- Vegetarianism and Veganism
- Christmas Traditions
- Animals

- Fruits And Vegetables


  1. Adobe Reader
  2. Adware
  3. Altavista
  4. AOL
  5. Apple Macintosh
  6. Application software
  7. Arrow key
  8. Artificial Intelligence
  9. ASCII
  10. Assembly language
  11. Automatic translation
  12. Avatar
  13. Babylon
  14. Bandwidth
  15. Bit
  16. BitTorrent
  17. Black hat
  18. Blog
  19. Bluetooth
  20. Bulletin board system
  21. Byte
  22. Cache memory
  23. Celeron
  24. Central processing unit
  25. Chat room
  26. Client
  27. Command line interface
  28. Compiler
  29. Computer
  30. Computer bus
  31. Computer card
  32. Computer display
  33. Computer file
  34. Computer games
  35. Computer graphics
  36. Computer hardware
  37. Computer keyboard
  38. Computer networking
  39. Computer printer
  40. Computer program
  41. Computer programmer
  42. Computer science
  43. Computer security
  44. Computer software
  45. Computer storage
  46. Computer system
  47. Computer terminal
  48. Computer virus
  49. Computing
  50. Conference call
  51. Context menu
  52. Creative commons
  53. Creative Commons License
  54. Creative Technology
  55. Cursor
  56. Data
  57. Database
  58. Data storage device
  59. Debuggers
  60. Demo
  61. Desktop computer
  62. Digital divide
  63. Discussion groups
  64. DNS server
  65. Domain name
  66. DOS
  67. Download
  68. Download manager
  69. DVD-ROM
  70. DVD-RW
  71. E-mail
  72. E-mail spam
  73. File Transfer Protocol
  74. Firewall
  75. Firmware
  76. Flash memory
  77. Floppy disk drive
  78. GNU
  79. GNU General Public License
  80. GNU Project
  81. Google
  82. Google AdWords
  83. Google bomb
  84. Graphics
  85. Graphics card
  86. Hacker
  87. Hacker culture
  88. Hard disk
  89. High-level programming language
  90. Home computer
  91. HTML
  92. Hyperlink
  93. IBM
  94. Image processing
  95. Image scanner
  96. Instant messaging
  97. Instruction
  98. Intel
  99. Intel Core 2
  100. Interface
  101. Internet
  102. Internet bot
  103. Internet Explorer
  104. Internet protocols
  105. Internet service provider
  106. Interoperability
  107. IP addresses
  108. IPod
  109. Joystick
  110. JPEG
  111. Keyword
  112. Laptop computer
  113. Linux
  114. Linux kernel
  115. Liquid crystal display
  116. List of file formats
  117. List of Google products
  118. Local area network
  119. Logitech
  120. Machine language
  121. Mac OS X
  122. Macromedia Flash
  123. Mainframe computer
  124. Malware
  125. Media center
  126. Media player
  127. Megabyte
  128. Microsoft
  129. Microsoft Windows
  130. Microsoft Word
  131. Mirror site
  132. Modem
  133. Motherboard
  134. Mouse
  135. Mouse pad
  136. Mozilla Firefox
  137. Mp3
  138. MPEG
  139. MPEG-4
  140. Multimedia
  141. Musical Instrument Digital Interface
  142. Netscape
  143. Network card
  144. News ticker
  145. Office suite
  146. Online auction
  147. Online chat
  148. Open Directory Project
  149. Open source
  150. Open source software
  151. Opera
  152. Operating system
  153. Optical character recognition
  154. Optical disc
  155. output
  156. PageRank
  157. Password
  158. Pay-per-click
  159. PC speaker
  160. Peer-to-peer
  161. Pentium
  162. Peripheral
  163. Personal computer
  164. Personal digital assistant
  165. Phishing
  166. Pirated software
  167. Podcasting
  168. Pointing device
  169. POP3
  170. Programming language
  171. QuickTime
  172. Random access memory
  173. Routers
  174. Safari
  175. Scalability
  176. Scrollbar
  177. Scrolling
  178. Scroll wheel
  179. Search engine
  180. Security cracking
  181. Server
  182. Simple Mail Transfer Protocol
  183. Skype
  184. Social software
  185. Software bug
  186. Software cracker
  187. Software library
  188. Software utility
  189. Solaris Operating Environment
  190. Sound Blaster
  191. Soundcard
  192. Spam
  193. Spamdexing
  194. Spam in blogs
  195. Speech recognition
  196. Spoofing attack
  197. Spreadsheet
  198. Spyware
  199. Streaming media
  200. Supercomputer
  201. Tablet computer
  202. Telecommunications
  203. Text messaging
  204. Trackball
  205. Trojan horse
  206. TV card
  207. Unicode
  208. Uniform Resource Identifier
  209. Unix
  210. URL redirection
  211. USB flash drive
  212. USB port
  213. User interface
  214. Vlog
  215. Voice over IP
  216. Warez
  217. Wearable computer
  218. Web application
  219. Web banner
  220. Web browser
  221. Web crawler
  222. Web directories
  223. Web indexing
  224. Webmail
  225. Web page
  226. Website
  227. Wiki
  228. Wikipedia
  229. WIMP
  230. Windows CE
  231. Windows key
  232. Windows Media Player
  233. Windows Vista
  234. Word processor
  235. World Wide Web
  236. Worm
  237. XML
  238. X Window System
  239. Yahoo
  240. Zombie computer

This article is from:

All text is available under the terms of the GNU Free Documentation License: 


From Wikipedia, the free encyclopedia


A password is a form of secret authentication data that is used to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly.

The use of passwords goes back to ancient times. Sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password. In modern times, passwords are used to control access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving email from servers, accessing files, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desirable property). Note that password is often used to describe what would be more accurately called a pass phrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be memorized.

Designing a personal, user-friendly password

Passwords vary in the degree of public awareness, security protection and frequency of change. The most public, and therefore least secure, password might be one that is given to members of a group, a committee or some other organization. for instance, "publiclibrary", "internet" or "AAAfinancecommittee" are all examples of easily remembered passwords.

Less easily attacked passwords might be built from such a basic form. for instance, "smith12nov34street" or "AAAchairpersonSUE". These are slightly more secure, but being relatively easily predictable should not relied upon to actually block unauthorized access. Effective access control requires passwords which are more difficult to guess or to find automatically, and these are the subject of much of the rest of this article.

Security and convenience

In controlling access to anything, trade-offs are made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password system or policy are affected by several factors addressed below. However, there is generally no one universal best way to set a proper balance between security and convenience for all cases.

Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site. Others pose modest economic or privacy risk, a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records or control a power transmission grid.

Factors in the security of a password system

The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security. Early passwords on many systems were limited to a few numbers or upper-case-letters only, often in prescribed patterns limiting possible passwords. Most passwords today usually have few such limits. User input is determined by several limiting factors: allowable inputs (numbers / letters, non-visual codes and/or other keys / device inputs), minimum & maximum of time length of input, available of cut / delete / paste / copy for input, and error/noise tolerance of password or input errors. Some system administrators also enforce other limitations on passwords, such as compulsory change schedules, safe-password analysis feedback, and compulsory safe-no-crack limits.

See computer security and computer insecurity. Here are some password management issues that must be considered:

Rate at which an attacker can try-out guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a long time out after a small number (e.g. 3) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords, as long as they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, an automobile license plate number, and such default passwords as admin, 1234, or letmein (let me in). [1]

Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common, an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value. Lists of common passwords are widely available and can further speed the process. (See Password cracking.) A sufficiently complex password used in a system with a good hash algorithm can defeat such attacks as the work factor imposed on such an attacker can be made impossible in practice. Passwords that are used to generate cryptographic keys, e.g for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in such systems.

Form of stored passwords

Some computer systems store passwords as plain text. If an attacker gains access to the password file, all passwords are compromised. If some users employ the same password for multiple accounts, those will be compromised as well. More secure systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, whilst validation still remains possible.

A common cryptographic scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the password and, usually, another value known as a salt. The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of DES was used in early Unix systems.

The UNIX DES function was iterated to make the hash function slow, to further frustrate automated guessing attacks. A more flexible function for iterated hashed passwords is described in PKCS-5.

If the hash function is well designed, it is computationally infeasible to reverse it to find the plaintext directly. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to hashed values he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available and the tools try common variations as well. The existence of these dictionary attack tools demonstrates the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk.

A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed example.[2]

Methods of verifying a password over a network

A variety of methods have been used to verify passwords in a network setting:

Simple transmission of the password

Passwords can be vulnerable to interception (known as "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection. Cable modems may be more vulnerable to snooping than DSL and dialup connections, and ethernet may or may not be snoopable, depending particularly on the choice of networking hardware and wiring. Some organizations have noted a significant increase in stolen passwords after users began using cable internet connections.

Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced with the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use. See cryptography for other ways in which the passing of information can be made more secure.

Hash-based challenge-response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (the password) is, and to do this, the server end needs to be able to obtain the shared secret from its stored form. On Unix-type systems doing remote authentication, the shared secret becomes the hashed form and has the serious limitation that they expose passwords to offline guessing attack.

Zero-knowledge password proofs

Rather than transmitting the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without revealing it.

Taking it a step further, augmented systems for password-authenticated key agreement (e.g. AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods; An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.

Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database. If the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirming e-mail message.

Identity management systems are increasingly used to automate issuance of replacements for lost passwords, a feature called self service password reset. The user's identity is verified by asking questions and comparing the answers to ones previously stored. Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be guessed, determined by research, or obtained through social engineering, and so this is less than certain as a verification technique. While many users have been trained never to reveal a password, few consider the name of their favorite movie to require similar care.

Longevity of a password

Forcing users to change passwords frequently (quarterly, monthly or even more often) ensures that a valid password in the wrong hands will eventually become unusable. Most users are not so familiar with passwords and computers, so you take the great risk of losing or gaining the hostility from users. Many operating systems provide such features, though they are not universally used. Their security benefits are limited because attackers often exploit a password as soon as it is compromised. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires.

Forcing password change too frequently may make users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse an earlier password, which may negate any added security benefit. Implementing such a policy requires careful consideration of human factors.

Number of users per password

Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer system, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits).

Allotting separate passwords to each user of a system is usually preferable to having a single password shared by legitimate users of the system. This is partly because people are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.

Design of the protected software

Common techniques used to improve the security of software systems protected by a password include:

  • not echoing the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks or circular blobs
  • allowing passwords of adequate length (some Unix systems limited passwords to 8 characters).
  • requiring users to re-enter their password after a period of inactivity
  • enforcing a password policy to ensure strong passwords
  • requiring periodic password changes
  • assigning passwords at random
  • providing an alternative to keyboard entry
  • using encrypted tunnels or password-authenticated key agreement to prevent network attacks on transmitted passwords

Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security.

Factors in the security of an individual password

Main article: Password strength

Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed. Password strength is the likelihood that a password can be guessed or discovered by an unauthorized person or computer. Passwords easily guessed are known as weak or vulnerable; passwords very difficult or impossible to guess are considered strong.

Alternatives to passwords for access control

The numerous ways in which reusable passwords can be compromised has prompted the development of other techniques. Unfortunately, few of them have become universally available for users seeking a more secure alternative.

  • Single-use passwords. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as TANs. As most home users only perform a small number of transactions each week, the single use issue has not lead to significant customer dissatisfaction in this case.
  • Security tokens are similar to single-use passwords, but the value to be entered is displayed on a small fob and changes every minute or so.
  • Access controls based on public key cryptography e.g. SSH. The necessary keys are too large to memorize (but see proposal Passmaze) and must be stored on a local computer, security token or portable memory device, such as a flash disk or floppy disk.
  • Biometric methods promise authentication based on unalterable personal characteristics, but currently (2005) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems And, because these characteristics are unalterable, they cannot be changed if compromised, a highly important consideration in access control as a compromised access token is almost the very definition of insecure.
  • Single sign-on technology is supposed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
  • Non-text-based passwords. Passwords are not restricted to be letters or numbers. This article demonstrates the use of mouse gestures to authenticate users. Since these are hard to describe, system administrators will have some difficulty resetting passwords on the user's behalf.

Website Password Systems

So-called website password and membership management systems often involve the use of Java or JavaScript code which exists in the client site HTML source code (for example, AuthPro). Drawbacks to such systems are the relative ease in bypassing or circumventing the protection by switching off JavaScript and Meta redirects in the browser, thereby gaining access to the protected web page. Others take advantage of server-side scripting languages such as ASP or PHP to authenticate users on the server before delivering the source code to the browser. Popular systems such as Sentry Login and Password Sentry take advantage of technology in which web pages are protected using such scripting language code snippets placed in front of the HTML code in the web page source saved in the appropriate extension on the server, such as .asp or .php. For additional security, many of the larger websites, such as Yahoo and Google, use the Python for controlling and maintaining secrecy of the pages they dynamically serve to the browser and completely obfuscate any reference to file names in the URL that appears in the address window of the browser.

Password cracking

The head on attempt to crack passwords by trying as many possibilities as time and money allows is known as brute force attack. Another method is a dictionary attack. In a dictionary attack, all the words in a dictionary are tested to see if they are the password.

There are number of computer programs for password auditing and recovery such as L0phtCrack and Cain.

Passwords in fiction

Password use is often depicted in fiction, Illya Kuryakin 'proving' his identity to the U.N.C.L.E. security door with a code word, or Harry Potter giving a password to a magic painting to enter his dormitory. Famous fictional passwords include "open sesame" from the Arabian Nights' tale of The Forty Thieves, Rumpelstiltskin, and Swordfish from the speakeasy in the Marx Brothers film Horse Feathers.

See also

  • Authentication
  • Diceware
  • Passphrase
  • Password manager
  • Password policy
  • Password strength
  • Password length parameter
  • Password cracking
  • Password-authenticated key agreement
  • Password notification e-mail
  • Password synchronization
  • Pre-shared key
  • Random password generator
  • Self-service password reset

External links

  • Password myths and tips
  • Random secure password generator with automatic mnemonic generation
  • GRC's "Ultra High Security" Password Generator
  • Pick a Safe Password
  • Enforcing use of cryptographically strong password
  • Password management best practices
  • Statistics on password choices, practices, and risks
  • List of default passwords listed by vendor
  • Links for password-based cryptography
  • Website password and membership management systems
  • Wordlists and articles about Password Security
  • A list of English words that are typed using alternating left and right-hand keystrokes
  • A large list of default passwords for computing, networking, and voice applications
  • Pronouncable Password Generator
  • pwgen - open-source program to generate random pronouncable passwords
  • APG (Automated Password Generator) - similar to pwgen
  • Online Help On Changing Password For Favourite Web Services
  • Microsoft security guru: Jot down your passwords
  • More Secure Mnemonic-Passwords: User-Friendly Passwords for Real Humans by Stephan Vladimir Bugaj
  • The Memorability and Security of Passwords ó Some Empirical Results (PDF)
  • Security policies can weaken passwords
  • Directory of Anonymous Usernames and Passwords
  • Password Security: Itís Not That Hard (But You Still Canít Get It Right) by Ron Rothman
  • Encrypting Passwords with Hashing
Retrieved from ""