Password: Jump To Navigation Jump To Search
Password: Jump To Navigation Jump To Search
Password: Jump To Navigation Jump To Search
Contents
1History
2Choosing a secure and memorable password
3Factors in the security of a password system
o 3.1Rate at which an attacker can try guessed passwords
o 3.2Limits on the number of password guesses
o 3.3Form of stored passwords
o 3.4Methods of verifying a password over a network
3.4.1Simple transmission of the password
3.4.2Transmission through encrypted channels
3.4.3Hash-based challenge-response methods
3.4.4Zero-knowledge password proofs
o 3.5Procedures for changing passwords
o 3.6Password longevity
o 3.7Number of users per password
o 3.8Password security architecture
o 3.9Password reuse
o 3.10Writing down passwords on paper
o 3.11After death
o 3.12Multi-factor authentication
4Password rules
5Password cracking
o 5.1Incidents
6Alternatives to passwords for authentication
7"The Password is dead"
8See also
9References
10External links
History[edit]
Passwords have been used since ancient times. Sentries would challenge those
wishing to enter an area to supply a password or watchword, and would only allow a
person or group to pass if they knew the password. Polybius describes the system for
the distribution of watchwords in the Roman military as follows:
The way in which they secure the passing round of the watchword for the night is as
follows: from the tenth maniple of each class of infantry and cavalry, the maniple which
is encamped at the lower end of the street, a man is chosen who is relieved from guard
duty, and he attends every day at sunset at the tent of the tribune, and receiving from
him the watchword—that is a wooden tablet with the word inscribed on it – takes his
leave, and on returning to his quarters passes on the watchword and tablet before
witnesses to the commander of the next maniple, who in turn passes it to the one next
him. All do the same until it reaches the first maniples, those encamped near the tents
of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark.
So that if all those issued are returned, the tribune knows that the watchword has been
given to all the maniples, and has passed through all on its way back to him. If any one
of them is missing, he makes inquiry at once, as he knows by the marks from what
quarter the tablet has not returned, and whoever is responsible for the stoppage meets
with the punishment he merits.[6]
Passwords in military use evolved to include not just a password, but a password and a
counterpassword; for example in the opening days of the Battle of Normandy,
paratroopers of the U.S. 101st Airborne Division used a password—flash—which was
presented as a challenge, and answered with the correct response—thunder. The
challenge and response were changed every three days. American paratroopers also
famously used a device known as a "cricket" on D-Day in place of a password system
as a temporarily unique method of identification; one metallic click given by the device in
lieu of a password was to be met by two clicks in reply. [7]
Passwords have been used with computers since the earliest days of computing.
The Compatible Time-Sharing System (CTSS), an operating system introduced
at MIT in 1961, was the first computer system to implement password login. [8][9] CTSS
had a LOGIN command that requested a user password. "After typing PASSWORD, the
system turns off the printing mechanism, if possible, so that the user may type in his
password with privacy."[10] In the early 1970s, Robert Morris developed a system of
storing login passwords in a hashed form as part of the Unix operating system. The
system was based on a simulated Hagelin rotor crypto machine, and first appeared in
6th Edition Unix in 1974. A later version of his algorithm, known as crypt(3), used a 12-
bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of
pre-computed dictionary attacks.[11]
In modern times, user names and passwords are commonly used by people during
a log in process that controls access to protected computer operating systems, mobile
phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer
user has passwords for many purposes: logging into accounts, retrieving e-mail,
accessing applications, databases, networks, web sites, and even reading the morning
newspaper online.
Password rules[edit]
Further information: Password policy
Most organizations specify a password policy that sets requirements for the composition
and usage of passwords, typically dictating minimum length, required categories (e.g.,
upper and lower case, numbers, and special characters), prohibited elements (e.g., use
of one's own name, date of birth, address, telephone number). Some governments have
national authentication frameworks[52] that define requirements for user authentication to
government services, including requirements for passwords.
Many websites enforce standard rules such as minimum and maximum length, but also
frequently include composition rules such as featuring at least one capital letter and at
least one number/symbol. These latter, more specific rules were largely based on a
2003 report by the National Institute of Standards and Technology (NIST), authored by
Bill Burr.[53] It originally proposed the practice of using numbers, obscure characters and
capital letters and updating regularly. In a 2017 Wall Street Journal article, Burr reported
he regrets these proposals and made a mistake when he recommended them. [54]
According to a 2017 rewrite of this NIST report, many websites have rules that actually
have the opposite effect on the security of their users. This includes complex
composition rules as well as forced password changes after certain periods of time.
While these rules have long been widespread, they have also long been seen as
annoying and ineffective by both users and cyber-security experts. [55] The NIST
recommends people use longer phrases as passwords (and advises websites to raise
the maximum password length) instead of hard-to-remember passwords with "illusory
complexity" such as "pA55w+rd".[56] A user prevented from using the password
"password" may simply choose "Password1" if required to include a number and
uppercase letter. Combined with forced periodic password changes, this can lead to
passwords that are difficult to remember but easy to crack. [53]
Paul Grassi, one of the 2017 NIST report's authors, further elaborated: "Everyone
knows that an exclamation point is a 1, or an I, or the last character of a password. $ is
an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are
simply fooling the database that stores passwords into thinking the user did something
good."[55]
Pieris Tsokkis and Eliana Stavrou were able to identify some bad password construction
strategies through their research and development of a password generator tool. They
came up with eight categories of password construction strategies based on exposed
password lists, password cracking tools, and online reports citing the most used
passwords. These categories include user-related information, keyboard combinations
and patterns, placement strategy, word processing, substitution, capitalization, append
dates, and a combination of the previous categories [57]
Password cracking[edit]
Main article: Password cracking
Attempting to crack passwords by trying as many possibilities as time and money permit
is a brute force attack. A related method, rather more efficient in most cases, is
a dictionary attack. In a dictionary attack, all words in one or more dictionaries are
tested. Lists of common passwords are also typically tested.
Password strength is the likelihood that a password cannot be guessed or discovered,
and varies with the attack algorithm used. Cryptologists and computer scientists often
refer to the strength or 'hardness' in terms of entropy.[14]
Passwords easily discovered are termed weak or vulnerable; passwords very difficult or
impossible to discover are considered strong. There are several programs available for
password attack (or even auditing and recovery by systems personnel) such
as L0phtCrack, John the Ripper, and Cain; some of which use password design
vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency.
These programs are sometimes used by system administrators to detect weak
passwords proposed by users.
Studies of production computer systems have consistently shown that a large fraction of
all user-chosen passwords are readily guessed automatically. For example, Columbia
University found 22% of user passwords could be recovered with little effort. [58] According
to Bruce Schneier, examining data from a 2006 phishing attack, 55%
of MySpace passwords would be crackable in 8 hours using a commercially available
Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.
[59]
He also reported that the single most common password was password1, confirming
yet again the general lack of informed care in choosing passwords among users. (He
nevertheless maintained, based on these data, that the general quality of passwords
has improved over the years—for example, average length was up to eight characters
from under seven in previous surveys, and less than 4% were dictionary words. [60])
Incidents[edit]
See also[edit]
Access code (disambiguation)
Authentication
CAPTCHA
Cognitive science
Diceware
Kerberos (protocol)
Keyfile
Passphrase
Password cracking
Password fatigue
Password length parameter
Password manager
Password notification e-mail
Password policy
Password psychology
Password strength
Password synchronization
Password-authenticated key agreement
Pre-shared key
Random password generator
Rainbow table
Self-service password reset
Usability of web authentication systems
References[edit]
1. ^ "passcode". YourDictionary. Retrieved 17 May 2019.
2. ^ "password". Computer Security Resource Center (NIST).
Retrieved 17 May 2019.
3. ^ Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June
2017). "NIST Special Publication 800-63-3: Digital Identity
Guidelines". National Institute of Standards and
Technology (NIST). doi:10.6028/NIST.SP.800-63-3. Retrieved 17
May 2019.
4. ^ "authentication protocol". Computer Security Resource Center
(NIST). Retrieved 17 May 2019.
5. ^ "Passphrase". Computer Security Resource Center (NIST).
Retrieved 17 May 2019.
6. ^ Polybius on the Roman Military Archived 2008-02-07 at
the Wayback Machine. Ancienthistory.about.com (2012-04-13).
Retrieved on 2012-05-20.
7. ^ Mark Bando (2007). 101st Airborne: The Screaming Eagles in World
War II. Mbi Publishing Company. ISBN 978-0-7603-2984-
9. Archived from the original on 2 June 2013. Retrieved 20 May 2012.
8. ^ McMillan, Robert (27 January 2012). "The World's First Computer
Password? It Was Useless Too". Wired magazine. Retrieved 22
March 2019.
9. ^ Hunt, Troy (26 July 2017). "Passwords Evolved: Authentication
Guidance for the Modern Era". Retrieved 22 March 2019.
10. ^ CTSS Programmers Guide, 2nd Ed., MIT Press, 1965
11. ^ Morris, Robert; Thompson, Ken (1978-04-03). "Password Security:
A Case History". Bell Laboratories. CiteSeerX 10.1.1.128.1635.
12. ^ Vance, Ashlee (2010-01-10). "If Your Password Is 123456, Just
Make It HackMe". The New York Times. Archived from the original on
2017-02-11.
13. ^ "Managing Network Security". Archived from the original on March
2, 2008. Retrieved 2009-03-31.. Fred Cohen and Associates. All.net.
Retrieved on 2012-05-20.
14. ^ Jump up to:a b c d Lundin, Leigh (2013-08-11). "PINs and Passwords, Part
2". Passwords. Orlando: SleuthSayers.
15. ^ The Memorability and Security of Passwords Archived 2012-04-14
at the Wayback Machine (pdf). ncl.ac.uk. Retrieved on 2012-05-20.
16. ^ Michael E. Whitman; Herbert J. Mattord (2014). Principles of
Information Security. Cengage Learning. p. 162. ISBN 978-1-305-
17673-7.
17. ^ Lewis, Dave (2011). Ctrl-Alt-Delete. p. 17. ISBN 978-1471019111.
Retrieved 10 July2015.
18. ^ Techlicious / Fox Van Allen @techlicious (2013-08-08). "Google
Reveals the 10 Worst Password Ideas | TIME.com".
Techland.time.com. Archived from the original on 2013-10-22.
Retrieved 2013-10-16.
19. ^ Lyquix Blog: Do We Need to Hide Passwords? Archived 2012-04-25
at the Wayback Machine. Lyquix.com. Retrieved on 2012-05-20.
20. ^ Jonathan Kent Malaysia car thieves steal finger Archived 2010-11-
20 at the Wayback Machine. BBC (2005-03-31)
21. ^ Stuart Brown "Top ten passwords used in the United Kingdom".
Archived from the original on November 8, 2006. Retrieved 2007-08-
14.. Modernlifeisrubbish.co.uk (2006-05-26). Retrieved on 2012-05-20.
22. ^ US patent 8046827
23. ^ Wilkes, M. V. Time-Sharing Computer Systems. American Elsevier,
New York, (1968).
24. ^ Schofield, Jack (10 March 2003). "Roger Needham". The Guardian.
25. ^ The Bug Charmer: Passwords Matter Archived 2013-11-02 at
the Wayback Machine. Bugcharmer.blogspot.com (2012-06-20).
Retrieved on 2013-07-30.
26. ^ Jump up to:a b Alexander, Steven. (2012-06-20) The Bug Charmer: How
long should passwords be?Archived 2012-09-20 at the Wayback
Machine. Bugcharmer.blogspot.com. Retrieved on 2013-07-30.
27. ^ "passlib.hash - Password Hashing Schemes" Archived 2013-07-21
at the Wayback Machine.
28. ^ Jump up to:a b Florencio et al., An Administrator's Guide to Internet
Password ResearchArchived 2015-02-14 at the Wayback Machine.
(pdf) Retrieved on 2015-03-14.
29. ^ Cracking Story – How I Cracked Over 122 Million SHA1 and MD5
Hashed Passwords « Thireus' Bl0g Archived 2012-08-30 at
the Wayback Machine. Blog.thireus.com (2012-08-29). Retrieved on
2013-07-30.
30. ^ Jump up to:a b Morris, Robert & Thompson, Ken (1979). "Password
Security: A Case History". Communications of the ACM. 22 (11):
594–597. CiteSeerX 10.1.1.135.2097. doi:10.1145/359168.359172. S
2CID 207656012. Archived from the original on 2003-03-22.
31. ^ Password Protection for Modern Operating Systems Archived 2016-
03-11 at the Wayback Machine (pdf). Usenix.org. Retrieved on 2012-
05-20.
32. ^ How to prevent Windows from storing a LAN manager hash of your
password in Active Directory and local SAM databases Archived 2006-
05-09 at the Wayback Machine. support.microsoft.com (2007-12-03).
Retrieved on 2012-05-20.
33. ^ "Why You Should Lie When Setting Up Password Security
Questions". Techlicious. 2013-03-08. Archived from the original on
2013-10-23. Retrieved 2013-10-16.
34. ^ Jump up to:a b Joseph Steinberg (12 November 2014). "Forbes: Why You
Should Ignore Everything You Have Been Told About Choosing
Passwords". Forbes. Archived from the original on 12 November
2014. Retrieved 12 November 2014.
35. ^ "The problems with forcing regular password expiry". IA Matters.
CESG: the Information Security Arm of GCHQ. 15 April 2016.
Archived from the original on 17 August 2016. Retrieved 5 Aug 2016.
36. ^ Schneier on Security discussion on changing
passwords Archived 2010-12-30 at the Wayback Machine.
Schneier.com. Retrieved on 2012-05-20.
37. ^ Seltzer, Larry. (2010-02-09) "American Express: Strong Credit,
Weak Passwords"Archived 2017-07-12 at the Wayback Machine.
Pcmag.com. Retrieved on 2012-05-20.
38. ^ "Ten Windows Password Myths" Archived 2016-01-28 at
the Wayback Machine: "NT dialog boxes ... limited passwords to a
maximum of 14 characters"
39. ^ "You must provide a password between 1 and 8 characters in
length". Jira.codehaus.org. Retrieved on 2012-05-20. Archived May
21, 2015, at the Wayback Machine
40. ^ "To Capitalize or Not to Capitalize?" Archived 2009-02-17 at
the Wayback Machine. World.std.com. Retrieved on 2012-05-20.
41. ^ Thomas, Keir (February 10, 2011). "Password Reuse Is All Too
Common, Research Shows". PC World. Archived from the original on
August 12, 2014. Retrieved August 10, 2014.
42. ^ Pauli, Darren (16 July 2014). "Microsoft: You NEED bad passwords
and should re-use them a lot". The Register. Archived from the
original on 12 August 2014. Retrieved 10 August 2014.
43. ^ Bruce Schneier : Crypto-Gram Newsletter Archived 2011-11-15 at
the Wayback Machine May 15, 2001
44. ^ "Ten Windows Password Myths" Archived 2016-01-28 at
the Wayback Machine: Myth #7. You Should Never Write Down Your
Password
45. ^ Kotadia, Munir (2005-05-23) Microsoft security guru: Jot down your
passwords. News.cnet.com. Retrieved on 2012-05-20.
46. ^ "The Strong Password Dilemma" Archived 2010-07-18 at
the Wayback Machine by Richard E. Smith: "we can summarize
classical password selection rules as follows: The password must be
impossible to remember and never written down."
47. ^ Bob Jenkins (2013-01-11). "Choosing Random
Passwords". Archived from the original on 2010-09-18.
48. ^ "The Memorability and Security of Passwords – Some Empirical
Results" Archived2011-02-19 at the Wayback Machine (pdf)
"your password ... in a secure place, such as the back of your wallet or
purse."
Secret Life of Passwords". The New York Times. Archived from the
original on November 28, 2014.
63. ^ "Consumer Password Worst Practices
(pdf)" (PDF). Archived (PDF) from the original on 2011-07-28.
64. ^ "NATO site hacked". The Register. 2011-06-24. Archived from the
original on June 29, 2011. Retrieved July 24, 2011.
65. ^ "Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec
Attack". 2011-07-11. Archived from the original on 2017-07-14.
66. ^ "Military Password Analysis". 2011-07-12. Archived from the original
on 2011-07-15.
67. ^ "The Quest to Replace Passwords (pdf)" (PDF). IEEE. 2012-05-
15. Archived (PDF)from the original on 2015-03-19. Retrieved 2015-
03-11.
68. ^ Jump up to:a b "Gates predicts death of the password". CNET. 2004-02-
25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
69. ^ Cryptology ePrint Archive: Report 2005/434 Archived 2006-06-14 at
the Wayback Machine. eprint.iacr.org. Retrieved on 2012-05-20.
70. ^ T Matsumoto. H Matsumotot; K Yamada & S Hoshino (2002).
"Impact of artificial 'Gummy' Fingers on Fingerprint Systems". Proc
SPIE. Optical Security and Counterfeit Deterrence Techniques
IV. 4677:
275. Bibcode:2002SPIE.4677..275M. doi:10.1117/12.462719. S2CID
16897825.
71. ^ Using AJAX for Image Passwords – AJAX Security Part 1 of
3 Archived 2006-06-16 at the Wayback Machine. waelchatila.com
(2005-09-18). Retrieved on 2012-05-20.
72. ^ Butler, Rick A. (2004-12-21) Face in the Crowd Archived 2006-06-27
at the Wayback Machine. mcpmag.com. Retrieved on 2012-05-20.
73. ^ graphical password or graphical user authentication
(GUA) Archived 2009-02-21 at the Wayback Machine.
searchsecurity.techtarget.com. Retrieved on 2012-05-20.
74. ^ Ericka Chickowski (2010-11-03). "Images Could Change the
Authentication Picture". Dark Reading. Archived from the original on
2010-11-10.
75. ^ "Confident Technologies Delivers Image-Based, Multifactor
Authentication to Strengthen Passwords on Public-Facing Websites".
2010-10-28. Archived from the original on 2010-11-07.
76. ^ User Manual for 2-Dimensional Key (2D Key) Input Method and
System Archived2011-07-18 at the Wayback Machine. xpreeli.com.
(2008-09-08) . Retrieved on 2012-05-20.
77. ^ Kok-Wah Lee "Methods and Systems to Create Big Memorizable
Secrets and Their Applications"
Patent US20110055585 Archived 2015-04-13 at the Wayback
Machine, WO2010010430. Filing date: December 18, 2008
78. ^ Kotadia, Munir (25 February 2004). "Gates predicts death of the
password". ZDNet. Retrieved 8 May 2019.
79. ^ "IBM Reveals Five Innovations That Will Change Our Lives within
Five Years". IBM. 2011-12-19. Archived from the original on 2015-03-
17. Retrieved 2015-03-14.
80. ^ Honan, Mat (2012-05-15). "Kill the Password: Why a String of
Characters Can't Protect Us Anymore". Wired. Archived from the
original on 2015-03-16. Retrieved 2015-03-14.
81. ^ "Google security exec: 'Passwords are dead'". CNET. 2004-02-
25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
82. ^ "Authentciation at Scale". IEEE. 2013-01-25. Archived from the
original on 2015-04-02. Retrieved 2015-03-12.
83. ^ Mims, Christopher (2014-07-14). "The Password Is Finally Dying.
Here's Mine". Wall Street Journal. Archived from the original on 2015-
03-13. Retrieved 2015-03-14.
84. ^ "Russian credential theft shows why the password is
dead". Computer World. 2014-08-14. Archived from the original on
2015-04-02. Retrieved 2015-03-14.
85. ^ "NSTIC head Jeremy Grant wants to kill passwords". Fedscoop.
2014-09-14. Archived from the original on 2015-03-18.
Retrieved 2015-03-14.
86. ^ "Specifications Overview". FIDO Alliance. 2014-02-
25. Archived from the original on 2015-03-15. Retrieved 2015-03-15.
87. ^ "A Research Agenda Acknowledging the Persistence of
Passwords". IEEE Security&Privacy. Jan 2012. Archived from the
original on 2015-06-20. Retrieved 2015-06-20.
88. ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano,
Frank (2012). "The Quest to Replace Passwords: A Framework for
Comparative Evaluation of Web Authentication Schemes". Technical
Report - University of Cambridge. Computer Laboratory. Cambridge,
UK: University of Cambridge Computer Laboratory. ISSN 1476-2986.
Retrieved 22 March 2019.
89. ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano,
Frank (2012). The Quest to Replace Passwords: A Framework for
Comparative Evaluation of Web Authentication Schemes. 2012 IEEE
Symposium on Security and Privacy. San Francisco, CA. pp. 553–
567. doi:10.1109/SP.2012.44.
External links[edit]
Graphical Passwords: A Survey
Large list of commonly used passwords
Large collection of statistics about passwords
Research Papers on Password-based Cryptography
The international passwords conference
Procedural Advice for Organisations and
Administrators (PDF)
Centre for Security, Communications and Network
Research, University of Plymouth (PDF)
2017 draft update to NIST password standards for the U.S.
federal government
Memorable and secure password generator
Categories:
Password authentication
Identity documents
Security
Navigation menu
Not logged in
Talk
Contributions
Create account
Log in
Article
Talk
Read
Edit
View history
Search
Search Go
Main page
Contents
Current events
Random article
About Wikipedia
Contact us
Donate
Contribute
Help
Learn to edit
Community portal
Recent changes
Upload file
Tools
What links here
Related changes
Special pages
Permanent link
Page information
Cite this page
Wikidata item
Print/export
Download as PDF
Printable version
Languages
বাংলা
Euskara
हिन्दी
മലയാളം
ਪੰ ਜਾਬੀ
தமிழ்
తెలుగు
اردو
中文
58 more
Edit links
This page was last edited on 7 January 2021, at 02:22 (UTC).
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using
this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation,
Inc., a non-profit organization.
Privacy policy
About Wikipedia
Disclaimers
Contact Wikipedia
Mobile view
Developers
Statistics
Cookie statement