Passwords
Passwords are strings of characters used to authenticate a user's identity and grant access to a system or account. They serve as a form of security by requiring individuals to prove their identity before gaining entry. Strong passwords typically include a combination of letters, numbers, and special characters to enhance security.
4 Key excerpts on "Passwords"
eBook - ePubSurviving Security
How to Integrate People, Process, and Technology
- Amanda Andress(Author)
- 2003(Publication Date)
- Auerbach Publications(Publisher)
...Some companies have gone so far as to develop their own secured database for password storage. These solutions, though, dictate that the company keep all the Passwords in one place, so security must be very tight. Some opponents argue that Passwords only authenticate a password, not a user. We will discuss biometrics — a method that can actually authenticate a person — later in the section entitled “Biometrics.” Passwords are vulnerable to brute-force attacks, dictionary attacks, theft, and forgetfulness. They are also vulnerable to weak password authentication. If an application sends Passwords in plain text (not encrypted) to the authenticating server, any network sniffer can figure out the password, whether it is 257 or 2 characters long. Other choices for authentication, which we will discuss later, include physical devices such as tokens or smart cards. Although these systems appear more secure, they might not actually be so. The choice between Passwords and hardware devices often comes down to a trade-off between the physical security offered by a token and the mathematical security inherent in a strong password. (You have to trust that your users will select strong Passwords.) You might find that the strongest authentication method is actually a combination of two or more schemes. Digital Certificates We discussed the concept of digital certificates in Chapter 4, “Cryptography and Encryption.” One use for them in your security infrastructure is user authentication. Digital certificates are often used in security-conscious industries, such as finance and healthcare. Because of the high cost and complexity of the public-key infrastructure (PKI) required to use digital certificates for authentication, most organizations find this method infeasible...
eBook - ePubCybersecurity Fundamentals
A Real-World Perspective
- Kutub Thakur, Al-Sakib Khan Pathan(Authors)
- 2020(Publication Date)
- CRC Press(Publisher)
...Moreover, Passwords are also used to access the online digital services connected through Internet. There are different types and forms of Passwords used in the modern world. The following are a few among them. Conventional password Biometric Passwords Two-factor authentication Multi-factor authentication Social media logins Email logins One-time password (OTP) Smart keys and physical tokens The modern Passwords consist of minimum length of 8 characters and maximum of 64 characters in certain cases. The strength of password increases with the number of characters because the possibility of guessing and decoding the hash through computer power will be near to impossible in case of strong 64-character Passwords. Let us expand upon more aspects of a modern digital password used in the field of computer and information technology. 7.2.1 Threats to Passwords The major threat to your password is the user sluggishness, which often discourages the user from following the password management guidelines. The password theft is one of the major reasons of the DDoS attacks and many other data theft, and financial frauds. According to the latest research conducted in 2018, it was found that a large number of the people use very generic Passwords such as 123456, 12345678, and abc123. These Passwords are very easy to guess and snoop while you input the password. The WatchGuard security survey Q2 2018 found that more than 1,700 people working in governmental and military organizations of Australia used “123456” password! Other weak Passwords used by those government employees included “password” (544 people), “linkedin” (405 people), and “12345678” (120 people). All these Passwords are the most unreliable and easy-to-guess Passwords in the world. Many organizations and security companies have already blacklisted these Passwords to be used. The use of weak Passwords is highly prone to the risk of being stolen easily. So, easy Passwords should never be used...
eBook - ePubWeb Security
A WhiteHat Perspective
- Hanqing Wu, Liz Zhao(Authors)
- 2015(Publication Date)
- Auerbach Publications(Publisher)
...However, achieving a sufficiently secure password authentication scheme is not easy. The first issue to consider when designing a password authentication scheme is password strength. On the choice of user password strength, each website has its own strategy (Figure 9.1). Figure 9.1 Requirement of password strength on the registration page. Generally, during registration, websites will describe how a password should be (Figure 9.2). Figure 9.2 Requirement of password strength on the registration page. At present, there is no standard password strategy; however, here is a brief summary of some best practices recommended by OWASP * : In terms of password length A general application requires a length of 6 bites or more. An important application requires a length of 8 bytes or more, and recommends the two-factor authentication. In terms of password complexity Passwords are case sensitive. Passwords are a combination of two or more of uppercase letters, lowercase letters, numbers, and special characters. Don’t use a continuity of characters, such as 1234abcd; such weak Passwords can be easily guessed by others. Avoid repeated characters, such as 1111. Besides the strategies recommended by OWASP, we should also not use public data or personal data as Passwords. For example, do not use your QQ number, ID number, nickname, phone number (mobile number), birthday, English name, or company name as Passwords; these data may be available on the Internet and are not very secure. Twitter, a microblogging site, listed 300 weak Passwords in the process of user registration; if a user’s password is in this list, the user will be prompted that the password is not secure. Nowadays, hackers use brute force to crack Passwords. They choose some weak Passwords, such as 123456, guess the username, and then finally find an account that uses a weak password...
eBook - ePubInternet Security
A Jumpstart for Systems Administrators and IT Managers
- Tim Speed, Juanita Ellis(Authors)
- 2003(Publication Date)
- Digital Press(Publisher)
...Most operating systems and web servers will have some built-in mechanism to manage the password policies that you will put in place. If possible, take the following steps: 1. Enforce a reasonable minimum password length, which increases the number of permutations needed to randomly or programmatically guess someone’s password. You should also enforce an alphanumeric password combination. 2. Enforce maximum and minimum password age. A maximum password age forces the user to change the password after a period of time, preventing someone else from discovering it. A minimum password age prevents a user from immediately reverting back to a previous password after a change. 3. Enforce password uniqueness and maintain password history. These steps prevent users from bouncing between their favorite Passwords. You should specify the number of unique Passwords that a user must have before that user can use a password that has previously been used. 6.3.2 Tokens One authentication method is to use a concept known as “tokens.” Tokens can be hardware and/or software. One mechanism that tokens provide is to authenticate at a central point and receive a token. That token is then used via a session to access several secure resources. NT uses a similar system with its System Account Management (SAM) DB. Another type of token is a computerlike card, which is effectively a password calculator. In this case, there is no physical connection to the client computer. In essence, no software or hardware is required of the client. The token contains a secret value, which is used to respond to challenges. Some of the best-known tokens cards are from ActivCard and from Security Dynamics (Secure ID). Token cards can also protect against both passive attacks and instant replay attacks, in which one of the “bad dudes” records valid authentication information exchanged between one of the computers and then attempts to replay it later to gain entry...
