BENVENUTI IN   TUTTE LE LINGUE, CON CURA

SEZIONE
INGLESE

WIKIMAG
Un articolo
al giorno!

WIKIMAG è la rivista mensile che realizziamo per te scegliendo da Wikipedia un certo numero di articoli enciclopedici legati all'attualità e con cui ti offriamo uno stimolo ad avvicinarti all'inglese più accademico (tecnico, scientifico, politico, culturale). Come aiuto potrai beneficiare su queste pagine della guida alla pronuncia di ReadSpeaker, del dizionario di Babylon integrato e del traduttore automatico interattivo di Google Translate. Quest'ultimo funziona così: basta selezionare del testo e la traduzione italiana comparirà istantaneamente in una finestrella. Ovviamente, trattandosi di una traduzione automatica, ci potrebbero essere delle imprecisioni ma il punto è che nel 90% dei casi avrai un aiuto concreto che ti eviterà di dover perder del tempo a cercare la parola nel dizionario!
                                                       VAI ALLA RIVISTA NUMERO: 

TORNA AL PALINSESTO
Il palinsesto è l'elenco di tutte le risorse disponibili in ELINGUE

Indice del n. 8

  1. July
  2. Margherita Hack
  3. Idiom
  4. Laurel and Hardy
  5. Cloud computing
  6. Fast food
  7. Coursera
  8. Tour de France
  9. English modal verbs
  10. Hartz concept
  11. American Civil War
  12. Florence
  13. Rita Levi Montalcini
  14. Flier (pamphlet)
  15. Credit rating agency
  16. Crusades
  17. Web browser
  18. David Bowie
  19. English people
  20. Cyberwarfare
  21. Password
  22. iOS 7
  23. Massive open online course
  24. Arthur Conan Doyle
  25. Defense of Marriage Act
  26. List of Italian musical terms used in English
  27. Number
  28. Unique selling proposition (USP)
  29. Transatlantic Free Trade Area
  30. Robin Hood
  31. Louvre
     

 

WIKIMAG n. 8 - Luglio 2013 
Password

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
Traduzione interattiva on/off - Togli il segno di spunta per disattivarla

A password is a secret word or string of characters that is used for user authentication to prove identity, or for access approval to gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access. The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

A log in window for a website requesting a username and a password

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, D.O.B., address, telephone number). Some governments have national authentication frameworks[1] that define requirements for user authentication to government services, including requirements for passwords.

Contents

Memorization and guessing

The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.[2] However, passwords which are difficult to remember may also reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.[3]

In The Memorability and Security of Passwords,[4] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "algorithm" for generating obscure passwords is another good method.

However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.[citation needed]

A method to memorize a complex password is to remember a sentence like 'This year I go to Italy on Friday July 6!' and use the first characters as the actual password. In this case 'TyIgtIoFJ6!'. This method even helps against shoulder surfing.

Factors in the security of a password system

The security of a password-protected system depends on several factors. The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes. See password strength, computer security, and computer insecurity.

Nowadays it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to avoid bystanders reading the password. However, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.[5]

Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.[6] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.

Here are some specific password management issues that must be considered in thinking about, choosing, and handling, a password.

Rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed.[7]

Many systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is very common, an attacker can work off-line, rapidly testing candidate passwords against the true password's hash value. Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key stretching.

Limits on the number of password guesses

An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner. [8] The username associated with the password can be changed to counter a denial of service attack.

Form of stored passwords

Some computer systems store user passwords as plaintext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.

More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible.

A common approach stores only a “hashed” form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, in many implementations, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users.[9] MD5 and SHA1 are frequently used cryptographic hash functions but they are not recommended for password hashing unless they are used as part of a larger construction such as in PBKDF2.[10]

If a cryptographic hash function is well designed, it is computationally infeasible to reverse the function to recover a plaintext password. An attacker can, however, use widely available tools to attempt to guess the passwords. These tools work by hashing possible passwords and comparing the result of each guess to the actual password hashes. If the attacker finds a match, he knows that his guess is the actual password for the associated user. Password cracking tools can operate by brute force (i.e. trying every possible combination of characters) or by hashing every word from a list; large lists of possible passwords in many languages are widely available on the Internet. The existence of these password cracking tools allows attackers to easily recover poorly chosen passwords. In particular, attackers can quickly recover passwords that are short, dictionary words, simple variations on dictionary words or that use easily guessable patterns.[11]

A modified version of the DES algorithm was used as the basis for the password hashing algorithm in early Unix systems.[12] The ‹The template Disambiguated link is being considered for deletion.›  crypt algorithm used a 12-bit salt value so that each user’s hash was unique and iterated the DES algorithm 25 times in order to make the hash function slower, both measures intended to frustrate automated guessing attacks.[12] The user’s password was used as a key to encrypt a fixed value. More recent Unix or Unix like systems (e.g., Linux or the various BSD systems) use more secure password hashing algorithms such as PBKDF2, bcrypt, and scrypt which have large salts and an adjustable cost or number of iterations.[13]

A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed, and insecure, example.[14]

Methods of verifying a password over a network

Various methods have been used to verify submitted passwords in a network setting:

Simple transmission of the password

Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packetized data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.

Email is sometimes used to distribute passwords but this is generally an insecure method. Since most email is sent as plaintext, a message containing a password is readable without effort during transport by any eavesdropper. Further, the message will be stored as plaintext on at least two computers: the sender's and the recipient's. If it passes through intermediate systems during its travels, it will probably be stored on there as well, at least for some time, and may be copied to backup, cache or history files on any of these systems.

An example of cleartext transmission of passwords is the original Wikipedia website. When a user logs into his Wikipedia account, his username and password are sent from his computer's browser through the Internet as cleartext. In principle, anyone could read them in transit and thereafter log into the user's account as him; Wikipedia's servers have no way of distinguishing such an attacker from the user. In practice, an unknowably larger number could do so as well (e.g., employees at a user's Internet Service Provider, at any of the systems through which the traffic passes, etc.). More recently, Wikipedia has offered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS) cryptographically based protocol to eliminate the cleartext transmission. But, because anyone can gain access to Wikipedia (without logging in at all), and then edit essentially all articles, it can be argued that there is little need to encrypt these transmissions as little is being protected. Other websites (e.g., banks and financial institutions) have quite different security requirements, and cleartext transmission of anything is clearly insecure in those contexts.

Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in cleartext.

Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using cryptographic protection. The most widely used is the Transport Layer Security (TLS, previously called SSL) feature built into most current Internet browsers. Most browsers alert the user of a TLS/SSL protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use. There are several other techniques in use; see cryptography.

Hash-based challenge-response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (i.e., password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On many systems (including Unix-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; he only needs the hash.

Zero-knowledge password proofs

Rather than transmitting a password, or transmitting the hash of the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.

Moving a step further, augmented systems for password-authenticated key agreement (e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.

Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database. And, of course, if the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.

Identity management systems are increasingly used to automate issuance of replacements for lost passwords, a feature called self service password reset. The user's identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened).

Password longevity

"Password aging" is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often). Such policies usually provoke user protest and foot-dragging at best and hostility at worst. There is often an increase in the people who note down the password and leave it where it can easily be found, as well as helpdesk calls to reset a forgotten password. Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable. Because of these issues, there is some debate[15] as to whether password aging is effective. The intended benefit is mainly that a stolen password will be made ineffective if it is reset; however in many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires. (see rootkit). The other less-frequently cited, and possibly more valid reason is that in the event of a long brute force attack, the password will be invalid by the time it has been cracked. Specifically, in an environment where it is considered important to know the probability of a fraudulent login in order to accept the risk, one can ensure that the total number of possible passwords multiplied by the time taken to try each one (assuming the greatest conceivable computing resources) is much greater than the password lifetime. However there is no documented evidence that the policy of requiring periodic changes in passwords increases system security.

Password aging may be required because of the nature of IT systems the password allows access to; if personal data is involved the EU Data Protection Directive is in force. Implementing such a policy, however, requires careful consideration of the relevant human factors. Humans memorize by association, so it is impossible to simply replace one memory with another. Two psychological phenomena interfere with password substitution. "Primacy" describes the tendency for an earlier memory to be retained more strongly than a later one. "Interference" is the tendency of two memories with the same association to conflict. Because of these effects most users must resort to a simple password containing a number that can be incremented each time the password is changed.

Number of users per password

Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer system, a password is usually stored for each user account, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user on most systems must supply a username as well as a password, almost always at account set up time, and periodically thereafter. If the user supplies a password matching the one stored for the supplied username, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the 'user name' is typically the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits).

Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult, as for instance on graduation or resignation. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records.

Password security architecture

Common techniques used to improve the security of computer systems protected by a password include:

  • Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•).
  • Allowing passwords of adequate length. (Some legacy operating systems, including early versions[which?] of Unix and Windows, limited passwords to an 8 character maximum,[16][17][18][19] reducing security.)
  • Requiring users to re-enter their password after a period of inactivity (a semi log-off policy).
  • Enforcing a password policy to increase password strength and security.
    • Requiring periodic password changes.
    • Assigning randomly chosen passwords.
    • Requiring minimum password lengths.[10]
    • Some systems require characters from various character classes in a password—for example, "must have at least one uppercase and at least one lowercase letter". However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords.[20]
    • Providing an alternative to keyboard entry (e.g., spoken passwords, or biometric passwords).
    • Requiring more than one authentication system, such as 2-factor authentication (something a user has and something the user knows).
  • Using encrypted tunnels or password-authenticated key agreement to prevent access to transmitted passwords via network attacks
  • Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of denial of service attack.
  • Introducing a delay between password submission attempts to slow down automated password guessing programs.

Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.

Writing down passwords on paper

Historically, many security experts asked people to memorize their passwords and "Never write down a password". More recently, many security experts such as Bruce Schneier recommend that people use passwords that are too complicated to memorize, write them down on paper, and keep them in a wallet.[21][22][23][24][25][26][27]

After death

According to a survey by the University of London, one in ten people are now leaving their passwords in their wills to pass on this important information when they die. One third of people, according to the survey agree that their password protected data is important enough to be passed on in their will.[28] Facebook, for example, will not provide access for anyone but the actual account owner.[29]

Password cracking

Main article: Password cracking

Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.

Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically. For example, Columbia University found 22% of user passwords could be recovered with little effort.[30] According to Bruce Schneier, examining data from a 2006 phishing attack, 55% of MySpace passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.[31] He also reported that the single most common password was password1, confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.[32])

Incidents

  • On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. At the time the attacker was discovered, 47,642 passwords had already been cracked.[33]
  • In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the internet. Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.[34]
  • In June, 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-Bookshop. The data was leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.[35]
  • On July 11, 2011, Booz Allen Hamilton, a U.S. Consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. "The leak, dubbed 'Military Meltdown Monday,' includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors."[36] These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.[37]

Alternatives to passwords for authentication

The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative.[citation needed]

  • Single-use passwords. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single use issue has not led to intolerable customer dissatisfaction in this case.
  • Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so.
  • PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server generated challenge image shown on the user's screen.
  • Access controls based on public key cryptography e.g. ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze)[38] and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk.
  • Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration,[39] and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure.
  • Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
  • Envaulting technology is a password-free way to secure data on e.g. removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user's access to a network resource.
  • Non-text-based passwords, such as graphical passwords or mouse-movement based passwords.[40] Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of letters, digits or special characters. One system requires users to select a series of faces as a password, utilizing the human brain's ability to recall faces easily.[41] In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access.[42] Another graphical password solution creates a one-time password using a randomly generated grid of images. Each time the user is required to authenticate, they look for the images that fit their pre-chosen categories and enter the randomly generated alphanumeric character that appears in the image to form the one-time password.[43][44] So far, graphical passwords are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world. While some believe that graphical passwords would be harder to crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.[citation needed]
  • 2D Key (2-Dimensional Key)[45] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[46] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key.
  • Cognitive passwords use question and answer cue/response pairs to verify identity.

Website password systems

Passwords are used on websites to authenticate users and are usually maintained on the Web server, meaning the browser on a remote system sends a password to the server (by HTTP POST), the server checks the password and sends back the relevant content (or an access denied message). This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.

Transmission of the password, via the browser, in plaintext means it can be intercepted along its journey to the server. Many web authentication systems use SSL to establish an encrypted session between the browser and the server, and is usually the underlying meaning of claims to have a "secure Web site". This is done automatically by the browser and increases integrity of the session, assuming neither end has been compromised and that the SSL/TLS implementations used are high quality ones.

History of passwords

Passwords or watchwords have been used since ancient times. Polybius describes the system for the distribution of watchwords in the Roman military as follows:

The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword — that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.[47]

Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the Battle of Normandy, paratroopers of the U.S. 101st Airborne Division used a password — flash — which was presented as a challenge, and answered with the correct response — thunder. The challenge and response were changed every three days. American paratroopers also famously used a device known as a "cricket" on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply.[48]

Passwords have been used with computers since the earliest days of computing. MIT's CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy."[49] In the early 1970s, Robert Morris invented the idea of storing login passwords in a hashed form as part of the Unix operating system. The system was based on a simulated Hagelin rotor crypto machine, and first appeared in 6th Edition Unix in 1974. A later version of his algorithm, known as crypt(3), used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.[50]

See also

References

  1. ^ Improving Usability of Password Management with Standardized Password Policies. Retrieved on 2012-10-12.
  2. ^ Vance, Ashlee (2010-01-10). "If Your Password Is 123456, Just Make It HackMe". The New York Times.
  3. ^ Fred Cohen and Associates. All.net. Retrieved on 2012-05-20.
  4. ^ The Memorability and Security of Passwords. ncl.ac.uk. Retrieved on 2012-05-20.
  5. ^ Lyquix Blog: Do We Need to Hide Passwords?. Lyquix.com. Retrieved on 2012-05-20.
  6. ^ Jonathan Kent Malaysia car thieves steal finger. BBC (2005-03-31)
  7. ^ Stuart Brown Top ten passwords used in the United Kingdom. Modernlifeisrubbish.co.uk (2006-05-26). Retrieved on 2012-05-20.
  8. ^ US patent 8046827
  9. ^ http://bugcharmer.blogspot.com/2012/06/passwords-matter.html
  10. ^ a b http://bugcharmer.blogspot.com/2012/06/how-long-should-passwords-be.html
  11. ^ http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords
  12. ^ a b http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
  13. ^ Password Protection for Modern Operating Systems. Usenix.org. Retrieved on 2012-05-20.
  14. ^ How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases. support.microsoft.com (2007-12-03). Retrieved on 2012-05-20.
  15. ^ Schneier on Security discussion on changing passwords. Schneier.com. Retrieved on 2012-05-20.
  16. ^ HP-UX security whitepaper "Passwords are limited to a maximum of eight significant characters"
  17. ^ Seltzer, Larry. (2010-02-09) "American Express: Strong Credit, Weak Passwords". Pcmag.com. Retrieved on 2012-05-20.
  18. ^ "Ten Windows Password Myths": "NT dialog boxes ... limited passwords to a maximum of 14 characters"
  19. ^ "You must provide a password between 1 and 8 characters in length". Jira.codehaus.org. Retrieved on 2012-05-20.
  20. ^ "To Capitalize or Not to Capitalize?". World.std.com. Retrieved on 2012-05-20.
  21. ^ Bruce Schneier : Crypto-Gram Newsletter May 15, 2001
  22. ^ "Ten Windows Password Myths": Myth #7. You Should Never Write Down Your Password
  23. ^ Microsoft security guru: Jot down your passwords. News.cnet.com (2005-05-23). Retrieved on 2012-05-20.
  24. ^ "The Strong Password Dilemma" by Richard E. Smith: "we can summarize classical password selection rules as follows: The password must be impossible to remember and never written down."
  25. ^ "Choosing Random Passwords" by Bob Jenkins
  26. ^ "The Memorability and Security of Passwords – Some Empirical Results"
    "your password ... in a secure place, such as the back of your wallet or purse."
  27. ^ "Should I write down my passphrase?". World.std.com. Retrieved on 2012-05-20.
  28. ^ Jaffery, Saman M. (17 October 2011). "Survey: 11% of Brits Include Internet Passwords in Will". Hull & Hull LLP. Retrieved 16 July 2012.
  29. ^ "My child's Facebook account is blocked or disabled". Facebook. Retrieved 16 July 2012.
  30. ^ Password. cs.columbia.edu
  31. ^ Schneier, Real-World Passwords. Schneier.com. Retrieved on 2012-05-20.
  32. ^ MySpace Passwords Aren't So Dumb. Wired.com (2006-10-27). Retrieved on 2012-05-20.
  33. ^ "CERT IN-98.03". 1998-07-16. Retrieved 2009-09-09.
  34. ^ "Consumer Password Worst Practices".
  35. ^ "NATO site hacked". The Register. 2011-06-24. Retrieved July 24, 2011.
  36. ^ "Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack". 2011-07-11.
  37. ^ "Military Password Analysis". 2011-07-12.
  38. ^ Cryptology ePrint Archive: Report 2005/434. eprint.iacr.org. Retrieved on 2012-05-20.
  39. ^ T Matsumoto. H Matsumotot, K Yamada, and S Hoshino (2002). "Impact of artificial 'Gummy' Fingers on Fingerprint Systems". Proc SPIE 4677: 275. doi:10.1117/12.462719.
  40. ^ Using AJAX for Image Passwords – AJAX Security Part 1 of 3. waelchatila.com (2005-09-18). Retrieved on 2012-05-20.
  41. ^ Butler, Rick A. (2004-12-21) Face in the Crowd. mcpmag.com. Retrieved on 2012-05-20.
  42. ^ graphical password or graphical user authentication (GUA). searchsecurity.techtarget.com. Retrieved on 2012-05-20.
  43. ^ Ericka Chickowski (2010-11-03). "Images Could Change the Authentication Picture". Dark Reading.
  44. ^ "Confident Technologies Delivers Image-Based, Multifactor Authentication to Strengthen Passwords on Public-Facing Websites". 2010-10-28.
  45. ^ User Manual for 2-Dimensional Key (2D Key) Input Method and System. xpreeli.com. (2008-09-08) . Retrieved on 2012-05-20.
  46. ^ Kok-Wah Lee "Methods and Systems to Create Big Memorizable Secrets and Their Applications" Patent US20110055585, WO2010010430. Filing date: December 18, 2008
  47. ^ Polybius on the Roman Military. Ancienthistory.about.com (2012-04-13). Retrieved on 2012-05-20.
  48. ^ Mark Bando (2007). 101st Airborne: The Screaming Eagles in World War II. Mbi Publishing Company. ISBN 978-0-7603-2984-9. Retrieved 20 May 2012.
  49. ^ CTSS Programmers Guide, 2nd Ed., MIT Press, 1965
  50. ^ Morris, Robert; Thompson, Ken (1978-04-03). "Password Security: A Case History.". Bell Laboratories. Retrieved 2011-05-09.

External links


 

1) scrivi le parole inglesi dentro la striscia gialla
2) seleziona il testo
3) clicca "Ascolta il testo"

Listen to this page using ReadSpeaker
 


DA INGLESE A ITALIANO
Inserire nella casella Traduci la parola INGLESE e cliccare Go.
 DA ITALIANO A INGLESE 
Impostare INGLESE anziché italiano e ripetere la procedura descritta.

 
 
 

 
CONDIZIONI DI USO DI QUESTO SITO agg. 13.12.12
L'utente può utilizzare il sito ELINGUE solo se comprende e accetta quanto segue:

  • le risorse e i servizi linguistici presentati all'interno della cartella di sito denominata ELINGUE (www.englishgratis.com/elingue) , d'ora in poi definita "ELINGUE", sono accessibili solo previa sottoscrizione di un abbonamento a pagamento e si possono utilizzare esclusivamente per uso personale e non commerciale con tassativa esclusione di ogni condivisione comunque effettuata. Tutti i diritti sono riservati. La riproduzione anche parziale è vietata senza autorizzazione scritta.
  • si precisa altresì che il nome del sito EnglishGratis, che ospita ELINGUE, è esclusivamente un marchio di fantasia e un nome di dominio internet che fa riferimento alla disponibilità sul sito di un numero molto elevato di risorse gratuite e non implica dunque in alcun modo una promessa di gratuità relativamente a prodotti e servizi nostri o di terze parti pubblicizzati a mezzo banner e link, o contrassegnati chiaramente come prodotti a pagamento (anche ma non solo con la menzione "Annuncio pubblicitario"), o comunque menzionati nelle pagine del sito ma non disponibili sulle pagine pubbliche, non protette da password, del sito stesso. In particolare sono esclusi dalle pretese di gratuità i seguenti prodotti a pagamento: il nuovo abbonamento ad ELINGUE, i corsi 20 ORE e le riviste English4Life. L'utente che abbia difficoltà a capire il significato del marchio English Gratis o la relazione tra risorse gratuite e risorse a pagamento è pregato di contattarci per le opportune delucidazioni PRIMA DI UTILIZZARE IL SITO onde evitare spiacevoli equivoci.
  • ELINGUE è riservato in linea di massima ad utenti singoli (privati o aziendali). Qualora si sia interessati ad abbonamenti multi-utente si prega di contattare la redazione per un'offerta ad hoc.
  • l'utente si impegna a non rivelare a nessuno i dati di accesso che gli verranno comunicati (nome utente e password)
  • coloro che si abbonano accettano di ricevere le nostre comunicazioni di servizio (newsletter e mail singole) che sono l'unico tramite di comunicazione tra noi e il nostro abbonato, e servono ad informare l'abbonato della scadenza imminente del suo abbonamento e a comunicargli in anticipo eventuali problematiche tecniche e di manutenzione che potrebbero comportare l'indisponibilità transitoria del sito.
  • Nel quadro di una totale trasparenza e cortesia verso l'utente, l'abbonamento NON si rinnova automaticamente. Per riabbonarsi l'utente dovrà di nuovo effettuare la procedura che ha dovuto compiere la prima volta che si è abbonato.
  • Le risorse costituite da codici di embed di YouTube e di altri siti che incoraggiano lo sharing delle loro risorse (video, libri, audio, immagini, foto ecc.) sono ovviamente di proprietà dei rispettivi siti. L'utente riconosce e accetta che 1) il sito di sharing che ce ne consente l'uso può in ogni momento revocare la disponibilità della risorsa 2) l'eventuale pubblicità che figura all'interno delle risorse non è inserita da noi ma dal sito di sharing 3) eventuali violazioni di copyright sono esclusiva responsabilità del sito di sharing mentre è ovviamente nostra cura scegliere risorse solo da siti di sharing che pratichino una politica rigorosa di controllo e interdizione delle violazioni di copyright.
  • Nel caso l'utente riscontri nel sito una qualsiasi violazione di copyright, è pregato di segnalarcelo immediatamente per consentirci interventi di verifica ed eventuale rimozione del contenuto in questione. I contenuti rimossi saranno, nel limite del possibile, sostituiti con altri contenuti analoghi che non violano il copyright.
  • I servizi linguistici da noi forniti sulle pagine del sito ma erogati da aziende esterne (per esempio, la traduzione interattiva di Google Translate e Bing Translate realizzata rispettivamente da Google e da Microsoft, la vocalizzazione Text To Speech dei testi inglesi fornita da ReadSpeaker, il vocabolario inglese-italiano offerto da Babylon con la sua Babylon Box, il servizio di commenti sociali DISQUS e altri) sono ovviamente responsabilità di queste aziende esterne. Trattandosi di servizi interattivi basati su web, possono esserci delle interruzioni di servizio in relazione ad eventi di manutenzione o di sovraccarico dei server su cui non abbiamo alcun modo di influire. Per esperienza, comunque, tali interruzioni sono rare e di brevissima durata, saremo comunque grati ai nostri utenti che ce le vorranno segnalare.
  • Per quanto riguarda i servizi di traduzione automatica l'utente prende atto che sono forniti "as is" dall'azienda esterna che ce li eroga (Google o Microsoft). Nonostante le ovvie limitazioni, sono strumenti in continuo perfezionamento e sono spesso in grado di fornire all'utente, anche professionale, degli ottimi suggerimenti e spunti per una migliore traduzione.
  • In merito all'utilizzabilità del sito ELINGUE su tablet e cellulari a standard iOs, Android, Windows Phone e Blackberry facciamo notare che l'assenza di standard comuni si ripercuote a volte sulla fruibilità di certe prestazioni tipiche del nostro sito (come il servizio ReadSpeaker e la traduzione automatica con Google Translate). Mentre da parte nostra è costante lo sforzo di rendere sempre più compatibili il nostro sito con il maggior numero di piattaforme mobili, non possiamo però assicurare il pieno raggiungimento di questo obiettivo in quanto non dipende solo da noi. Chi desidera abbonarsi è dunque pregato di verificare prima di perfezionare l'abbonamento la compatibilità del nostro sito con i suoi dispositivi informatici, mobili e non, utilizzando le pagine di esempio che riproducono una pagina tipo per ogni tipologia di risorsa presente sul nostro sito. Non saranno quindi accettati reclami da parte di utenti che, non avendo effettuato queste prove, si trovino poi a non avere un servizio corrispondente a quello sperato. In tutti i casi, facciamo presente che utilizzando browser come Chrome e Safari su pc non mobili (desktop o laptop tradizionali) si ha la massima compatibilità e che il tempo gioca a nostro favore in quanto mano a mano tutti i grandi produttori di browser e di piattaforme mobili stanno convergendo, ognuno alla propria velocità, verso standard comuni.
  • Il sito ELINGUE, diversamente da English Gratis che vive anche di pubblicità, persegue l'obiettivo di limitare o non avere affatto pubblicità sulle proprie pagine in modo da garantire a chi studia l'assenza di distrazioni. Le uniche eccezioni sono 1) la promozione di alcuni prodotti linguistici realizzati e/o garantiti da noi 2) le pubblicità incorporate dai siti di sharing direttamente nelle risorse embeddate che non siamo in grado di escludere 3) le pubblicità eventualmente presenti nei box e player che servono ad erogare i servizi linguistici interattivi prima citati (Google, Microsoft, ReadSpeaker, Babylon ecc.).
  • Per quanto riguarda le problematiche della privacy, non effettuiamo alcun tracciamento dell'attività dell'utente sul nostro sito neppure a fini statistici. Tuttavia non possiamo escludere che le aziende esterne che ci offrono i loro servizi o le loro risorse in modalità sharing effettuino delle operazioni volte a tracciare le attività dell'utente sul nostro sito. Consigliamo quindi all'utente di utilizzare browser che consentano la disattivazione in blocco dei tracciamenti o l'inserimento di apposite estensioni di browser come Ghostery che consentono all'utente di bloccare direttamente sui browser ogni agente di tracciamento.
  • Le risposte agli utenti nella sezione di commenti sociali DISQUS sono fornite all'interno di precisi limiti di accettabilità dei quesiti posti dall'utente. Questi limiti hanno lo scopo di evitare che il servizio possa essere "abusato" attraverso la raccolta e sottoposizione alla redazione di ELINGUE di centinaia o migliaia di quesiti che intaserebbero il lavoro della redazione. Si prega pertanto l'utente di leggere attentamente e comprendere le seguenti limitazioni d'uso del servizio:
    - il servizio è moderato per garantire che non vengano pubblicati contenuti fuori tema o inadatti all'ambiente di studio online
    - la redazione di ELINGUE si riserva il diritto di editare gli interventi degli utenti per correzioni ortografiche e per chiarezza
    - il servizio è erogato solo agli utenti abbonati registrati gratuitamente al servizio di commenti sociali DISQUS
    - l'utente non può formulare più di un quesito al giorno
    - un quesito non può contenere, salvo eccezioni, più di una domanda
    - un utente non può assumere più nomi, identità o account di Disqus per superare i limiti suddetti
    - nell'ambito del servizio non sono forniti servizi di traduzione
    - la redazione di ELINGUE gestisce la priorità delle risposte in modo insindacabile da parte dell'utente
    - in tutti i casi, la redazione di ELINGUE è libera in qualsiasi momento di de-registrare temporaneamente l'utente abbonato dal
      servizio DISQUS qualora sussistano fondati motivi a suo insindacabile giudizio. La misura verrà comunque attuata solo in casi di
      eccezionale gravità.
  • L'utente, inoltre, accetta di tenere Casiraghi Jones Publishing SRL indenne da qualsiasi tipo di responsabilità per l'uso - ed eventuali conseguenze di esso - delle informazioni linguistiche e grammaticali contenute sul sito, in particolare, nella sezione Disqus. Le nostre risposte grammaticali sono infatti improntate ad un criterio di praticità e pragmaticità che a volte è in conflitto con la rigidità delle regole "ufficiali" che tendono a proporre un inglese schematico e semplificato dimenticando la ricchezza e variabilità della lingua reale. Anche l'occasionale difformità tra le soluzioni degli esercizi e le regole grammaticali fornite nella grammatica va concepita come stimolo a formulare domande alla redazione onde poter spiegare più nei dettagli le particolarità della lingua inglese che non possono essere racchiuse in un'opera grammaticale di carattere meramente introduttivo come la nostra grammatica online.

    ELINGUE è un sito di Casiraghi Jones Publishing SRL
    Piazzale Cadorna 10 - 20123 Milano - Italia
    Tel. 02-36553040 - Fax 02-3535258 email: robertocasiraghi@iol.it 
    Iscritta al Registro Imprese di MILANO - C.F. e PARTITA IVA: 11603360154
    Iscritta al R.E.A. di al n. 1478561 • Capitale Sociale Euro 10.400,00 interamente versato