CS406: Information Security

Password

A password is the most common form of authentication in use on computer systems. It is simply a word or string of characters known by the user that is used for authentication. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required characters(e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, D.O.B., address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Password Cracking

Attempting to crack passwords by trying as many possibilities as time and resources permit is known as a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel), some of which use password design vulnerabilities to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.