Passwords Part-01


The ancient folk tale of Ali Baba and the forty thieves mentions the use of a password. In this story, Ali Baba finds that the phrase “Open Sesame” magically opens the entrance to a cave where the thieves have hidden their treasure. Similarly, modern computer systems use pass-words to authenticate users and allow them entrance to system resources and data shares on an automated basis. The use of passwords in computer systems likely can be traced to the earliest time sharing and dial-up networks. Passwords were probably not used before then in purely batch systems.

The security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In a password-based authen-tication mechanism implemented on a computer system, passwords are vulnerable to compromise due to five es-sential aspects of the password system:

Password - PsvpTamilPasswords must be initially assigned to users when they
are enrolled on the system;
Users’ passwords must be changed periodically;
The system must maintain a “password database”;
Users must remember their passwords; and
Users must enter their passwords into the system at authentication time.
Because of these factors, a number of protection schemes have been developed for maintaining password security. These include implementing policies and mechanisms to ensure “strong” passwords, encrypting the password database, and simplifying the sign on and password synchronization processes. Even so, a number of sophisticated cracking tools are available today that threaten password security. For that reason, it is often advised that passwords be combined with some other form of security to achieve strong authentication.

Figure 1: A Biometric Fngerprint Scanner

Figure 1: A Biometric Fingerprint Scanner

Access control is the security service that deals with granting or denying permission for subjects (e.g., users or pro-grams) to use objects (e.g., other programs or files) on a given computer system. Access control can be accomplished through either hardware or software features, operating procedures, management procedures, or a combination of these. Access control mechanisms are classified by their ability to verify the authenticity of a user. The three basic verification methods are as follows:
What you have (examples: smart card or token);
What you are (examples: biometric fingerprint [see
Figure 1] or iris pattern); and
What you know (examples: PIN or password).
Of all verification methods, passwords are probably weakest, yet they are still the most widely used method in systems today. In order to guarantee strong authentication, a system ought to combine two or more of these factors. For example, in order to access an ATM, one must have a bank card and know his or her personal identification number (PIN).


Conjecture as to which system was the first to incorporate passwords has been bandied about by several computing pioneers on the Cyberspace History List-Server (CYHIST). However, there has not been any concrete evidence as yet to support one system or another as the progenitor. The consensus opinion favors the Compatible Time Sharing System (CTSS) developed at the Massachusetts Institute of Technology (MIT) Computation Center beginning in 1961. As part of Project MAC (Multiple Access Computer) under the direction of Professor Fernando J. “Corby” Corbat ´o, the system was implemented on an IBM 7094 and reportedly began using passwords by 1963. According to researcher Norman Hardy, who worked on the project, the security of passwords immediately became an issue as well: “I can vouch for some version of CTSS having passwords. It was in the second edition of the CTSS manual, I think, that illustrated the login command. It had Corby’s user name and password. It worked—and he changed it the same day.”

Passwords were widely in use by the early 1970s as the “hacker” culture began to develop, possibly in tacit op-position to the ARPANET. Now, with the explosion of the Internet, the use of passwords and the quantity of confi-dential data that those passwords protect have grown exponentially. But just as the 40 thieves’ password protection system was breached (the cave could not differentiate be-tween Ali Baba’s voice and those of the thieves), computer password systems have also been plagued by a number of vulnerabilities. Although strong password authentication has remained a “hard” problem in cryptography despite advances in both symmetric (secret-key) and asymmetric (public-key) cryptosystems, the history of password authentication is replete with examples of weak, easily compromised systems. In general, “weak” authentication systems are characterized by protocols that either leak the password directly over the network or leak sufficient information while performing authentication to allow intruders to deduce or guess at the password.

  • Green Book: The Need for Accountability

In 1983, the U.S. Department of Defense Computer Security Center (CSC) published the venerable tome Trusted Computer System Evaluation Criteria, also known as the Orange Book. This publication defined the assurance requirements for security protection of computer systems that were to be used in processing classified or other sensitive information. One major requirement imposed by the Orange Book was accountability: “Individual accountability is the key to securing and controlling any system that processes information on behalf of individuals or groups of individuals” (Latham, 1985).

The Orange Book clarified accountability as follows:

Individual user identification: Without this, there is no way to distinguish the actions of one user on a system from those of another.

Authentication: Without this, user identification has no credibility. And without a credible identity, no security policies can be properly invoked because there is no assurance that proper authorizations can be made.

The CSC went on to publish the Password Management Guideline (also known as the Green Book) in 1985 “to assist in providing that much needed credibility of user identity by presenting a set of good practices related to the design, implementation and use of password-based user authentication mechanisms.” The Green Book out-lined a number of steps that system security administra-tors should take to ensure password security on the system and suggests that, whenever possible, they be automated. These include the following 10 rules (Brotzman, 1985):
System security administrators should change the passwords for all standard user IDs before allowing the general user population to access the system.

A new user should always appear to the system as having an “expired password” which will require the user to change the password by the usual procedure before receiving authorization to access the system.

Each user ID should be assigned to only one person. No two people should ever have the same user ID at the same time, or even at different times. It should be con-sidered a security violation when two or more people know the password for a user ID.

Users need to be aware of their responsibility to keep passwords private and to report changes in their user status, suspected security violations, etc. Users should also be required to sign a statement to acknowledge understanding of these responsibilities.

Passwords should be changed on a periodic basis to counter the possibility of undetected password com-promise.

Users should memorize their passwords and not write them on any medium. If passwords must be written, they should be protected in a manner that is consistent with the damage that could be caused by their compromise.

Stored passwords should be protected by access controls provided by the system, by password encryption, or by both.

Passwords should be encrypted immediately after entry,and the memory containing the plaintext password should be erased immediately after encryption.

Only the encrypted password should be used in comparisons. There is no need to be able to decrypt passwords. Comparisons can be made by encrypting the password entered at login and comparing the encrypted form with the encrypted password stored in the password database.

The system should not echo passwords that users type in, or at least should mask the entered password (e.g., with asterisks).

  1. Information Theory

Cryptography is a powerful mechanism for securing data and keeping them confidential. The idea is that the original message is scrambled via an algorithm (or cipher), and only those with the correct key can unlock the scrambled message and get back the plaintext contents. In general, the strength of a cryptographic algorithm is based on the length and quality of its keys. Passwords are a similar problem. Based on their length and quality, they should be more difficult to attack either by dictionary, by hybrid, or by brute-force attacks. However, the quality of a password, just as the quality of a cryptographic key, is based on entropy. Entropy is a measure of disorder.

An example of entropy

Figure 2: Sample Web Page Entry Form

Figure 2: Sample Web Page Entry Form

Say a user is filling out a form on a Web page (see Figure 2). The form has a space for “Sex,” and leaves six characters for entering either “female” or “male” before encrypting the form entry and sending it to the server. If each character is a byte (i.e., 8 bits), then 6 × 8 = 48 bits will be sent for this response. Is this how much information is actually contained in the field, though?
Clearly, there is only one bit of data represented by the entry—a binary value—either male or female. That means that there is only one bit of entropy (or uncertainty) and there are 47 bits of redundancy in the field. This redundancy could be used by a cryptanalyst (someone who analyzes cryptosystems) to help crack the key.
Fundamental work by Claude Shannon during the 1940s illustrated this concept, that is, that the amount of information in a message is not necessarily a function of the length of a message (or the number of symbols used in the message) (Sloane & Wyner, 1993). Instead, the amount of information in a message is determined by how many different possible messages there are and how frequently each message is used.
The same concepts apply to password security. A longer password is not necessarily a better password. Rather, a password that is difficult to guess (i.e., one that has high entropy) is best. This usually comes from a combination of factors (see “Guidelines for selecting a good password”). The probability that any single attempt at guessing a pass-word will be successful is one of the most critical factors in a password system. This probability depends on the size of the password space and the statistical distribution within that space of passwords that are actually used.
Over the past several decades, Moore’s Law has made it possible to brute-force password spaces of larger and larger entropy. In addition, there is a limit to the entropy that the average user can remember. A user cannot typically remember a 32-character password, but that is what is required to have the equivalent strength of a 128-bit key. Recently, password cracking tools have advanced to the point of being able to crack nearly anything a system could reasonably expect a user to memorize (see “Password Length and Human Memory”).

  • Cryptographic Protection of Passwords

Early on, the most basic and least secure method of authentication was to store passwords in plaintext (i.e., unencrypted) in a database on the server. During authentication, the client would send his or her password to the server, and the server would compare this against the stored value. Obviously, however, if the password file were accessible to unauthorized users, the security of the system could be easily compromised.
In later systems, developers discovered that a server did not have to store a user’s password in plaintext form in order to perform password authentication. Instead, the user’s password could be transformed through a one-way function, such as a hashing function, into a random-looking sequence of bytes. Such a function would be difficult to invert. In other words, given a password, it would be easy to compute its hash, but given a hash, it would be computationally infeasible to compute the password from it (see “Hashing”). Authentication would consist merely of performing the hash function over the client’s pass-word and comparing it to the stored value. The password database itself could be made accessible to all users without fear of an intruder being able to steal passwords from it.

Article Will Be Continue In Next Post….

See Also : Passwords  Part-02

Post Credited From Encyclopedia Of Communication & Internet

Source Encyclopedia Of Internet Page 36 to 38

Leave a Reply

Your email address will not be published. Required fields are marked *