HOME

TheInfoList




A password, sometimes called a passcode (for example in
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wher ...
devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the ''claimant'' while the party verifying the identity of the claimant is called the ''verifier''. When the claimant successfully demonstrates knowledge of the password to the verifier through an established
authentication protocolAn authentication protocol is a type of computer communications protocol A communication protocol is a system of rules that allows two or more entities of a communications system 400px, Communication system A communications system or commun ...
, the verifier is able to infer the claimant's identity. In general, a password is an arbitrary
string String or strings may refer to: *String (structure), a long flexible structure made from threads twisted together, which is used to tie, bind, or hang other objects Arts, entertainment, and media Films * Strings (1991 film), ''Strings'' (1991 fil ...
of
characters Character(s) may refer to: Arts, entertainment, and media Literature * Character (novel), ''Character'' (novel), a 1936 Dutch novel by Ferdinand Bordewijk * Characters (Theophrastus), ''Characters'' (Theophrastus), a classical Greek set of char ...
including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a
personal identification number A personal identification number (PIN), or sometimes redundantly a PIN number, is a numeric (sometimes alpha-numeric) passcode used in the process of authenticating a user accessing a system. The PIN has been the key to flourishing the private d ...
(PIN). Despite its name, a password does not need to be an actual word; indeed, a non-word (in the dictionary sense) may be harder to guess, which is a desirable property of passwords. A memorized secret consisting of a sequence of words or other text separated by spaces is sometimes called a
passphrase A passphrase is a sequence of words or other text used to control access to a computer A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform g ...
. A passphrase is similar to a password in usage, but the former is generally longer for added security.


History

Passwords have been used since ancient times. Sentries would challenge those wishing to enter an area to supply a password or ''watchword'', and would only allow a person or group to pass if they knew the password.
Polybius Polybius (; grc-gre, Πολύβιος, ; ) was a Greek historian of the Hellenistic period The Hellenistic period covers the period of Mediterranean history between the death of Alexander the Great in 323 BC and the emergence of the R ...

Polybius
describes the system for the distribution of watchwords in the
Roman military The military of ancient Rome, according to Titus Livius, one of the more illustrious historians of Rome over the centuries, was a key element in the rise of Rome over “above seven hundred years” from a small settlement in Latium to the capital ...
as follows:
The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the
tribune Tribune () was the title of various elected officials in . The two most important were the and the s. For most of Roman history, a college of ten tribunes of the plebs acted as a check on the authority of the and the , holding the power of ...

tribune
, and receiving from him the watchword—that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next to him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.
Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the
Battle of Normandy Operation Overlord was the codename for the Battle of Normandy, the Allied operation that launched the successful invasion of German-occupied Western Europe Western Europe is the region of Europe Europe is a continent A cont ...
, paratroopers of the U.S. 101st Airborne Division used a password—''flash''—which was presented as a challenge, and answered with the correct response—''thunder''. The challenge and response were changed every three days. American paratroopers also famously used a device known as a "cricket" on
D-Day The Normandy landings were the s and associated airborne operations on Tuesday, 6 June 1944 of the Allied in during . Codenamed Operation Neptune and often referred to as , it was the largest seaborne invasion in history. The operation bega ...

D-Day
in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply. Passwords have been used with computers since the earliest days of computing. The
Compatible Time-Sharing System The Compatible Time-Sharing System (CTSS) was one of the first time-sharing In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algori ...
(CTSS), an operating system introduced at
MIT Massachusetts Institute of Technology (MIT) is a private land-grant research university A research university is a university A university ( la, universitas, 'a whole') is an educational institution, institution of higher education, hi ...

MIT
in 1961, was the first computer system to implement password login. CTSS had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy." In the early 1970s,
Robert MorrisRobert or Bob Morris may refer to: Politics * Robert Hunter Morris (1700–1764), Lieutenant Governor of Colonial Pennsylvania * Robert Morris (financier) (1734–1806), financier of the American Revolution and signatory to three of the United Stat ...
developed a system of storing login passwords in a hashed form as part of the
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser Multi-user software is computer software Software is a collection of Instruction (computer science), instructions and data (computing), data that tell a computer how to ...

Unix
operating system. The system was based on a simulated Hagelin rotor crypto machine, and first appeared in 6th Edition Unix in 1974. A later version of his algorithm, known as crypt(3), used a 12-bit
salt Salt is a mineral composed primarily of sodium chloride (NaCl), a chemical compound belonging to the larger class of Salt (chemistry), salts; salt in its natural form as a crystallinity, crystalline mineral is known as rock salt or halite. Sa ...
and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed
dictionary attack In cryptanalysis and computer security, a dictionary attack is a form of Brute-force attack, brute force attack technique for defeating a cipher or Authentication protocol, authentication mechanism by trying to determine its decryption key or pass ...
s. In modern times, user names and passwords are commonly used by people during a
log in In computer security Computer security, cybersecurity, or information technology security (IT security) is the protection of computer system A computer is a machine that can be programmed to carry out Sequence, sequences of arithm ...
process that to protected computer
operating system An operating system (OS) is system software System software is software designed to provide a platform for other software. Examples of system software include operating systems like macOS macOS (; previously Mac OS X and later ...

operating system
s,
mobile phone A mobile phone, cellular phone, cell phone, cellphone, handphone, or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone A telephone is a telecommunications device that permits two or more use ...

mobile phone
s,
cable TV Cable television is a system of delivering television broadcast programming, programming to consumers via radio frequency (RF) signals transmitted through coaxial cables, or in more recent systems, light pulses through fibre-optic cables. This ...
decoders,
automated teller machine An automated teller machine (ATM) or cash machine (in British English) is an electronic telecommunications device that enables customers of financial institutions to perform financial transactions, such as cash withdrawals, deposits, funds ...
s (ATMs), etc. A typical
computer user A user is a person who utilizes a computer A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as Comp ...
has passwords for many purposes: logging into accounts, retrieving
e-mail upThe email_address.html"_;"title="at_sign,_a_part_of_every_SMTP_email_address">at_sign,_a_part_of_every_SMTP_email_address Electronic_mail_(email_or_e-mail)_is_a_method_of_exchanging_messages_("mail")_between_people_using_electronic_dev ...

e-mail
, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.


Choosing a secure and memorable password

The easier a password is for the owner to remember generally means it will be easier for an
attacker In some team sport A team is a
entropy Entropy is a scientific concept as well as a measurable physical property that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics ...
) than shorter passwords with a wide variety of characters. In ''The Memorability and Security of Passwords'', Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two or more unrelated words and altering some of the letters to special characters or numbers is another good method, but a single dictionary word is not. Having a personally designed algorithm for generating obscure passwords is another good method. However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions that are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers. In 2013, Google released a list of the most common password types, all of which are considered insecure because they are too easy to guess (especially after researching an individual on social media): * The name of a pet, child, family member, or significant other * Anniversary dates and birthdays * Birthplace * Name of a favorite holiday * Something related to a favorite sports team * The word "password"


Alternatives to memorization

Traditional advice to memorize passwords and never write them down has become a challenge because of the sheer number of passwords users of computers and the internet are expected to maintain. One survey concluded that the average user has around 100 passwords. To manage the proliferation of passwords, some users employ the same password for multiple accounts, a dangerous practice since a data breach in one account could compromise the rest. Less risky alternatives include the use of
password manager A password manager is a computer program that allows users to store, generate, and manage their password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity ...
s,
single sign-on Single may refer to: Arts, entertainment, and media * Single (music), a song release Songs * Single (Natasha Bedingfield song), "Single" (Natasha Bedingfield song), 2004 * Single (New Kids on the Block and Ne-Yo song), "Single" (New Kids on the B ...
systems and simply keeping paper lists of less critical passwords. Such practices can reduce the number of passwords that must be memorized, such as the password manager's master password, to a more manageable number.


Factors in the security of a password system

The security of a password-protected system depends on several factors. The overall system must be designed for sound security, with protection against
computer virus A computer virus is a type of computer program A computer program is a collection of instructions that can be executed by a computer to perform a specific task. A computer program is usually written by a computer programmer in a programm ...

computer virus
es,
man-in-the-middle attack In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix In linguistics Linguistics is the science, scientific study of lan ...
s and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. Passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any of the available automatic attack schemes. See
password strength Password strength is a measure of the effectiveness of a password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity. Using the terminology of the NIST D ...
and
computer security Computer security, cybersecurity, or information technology security (IT security) is the protection of computer system A computer is a machine that can be programmed to carry out Sequence, sequences of arithmetic or logical operations ...
for more information. Nowadays, it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to prevent bystanders from reading the password; however, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.Lyquix Blog: Do We Need to Hide Passwords?
. Lyquix.com. Retrieved on 2012-05-20.
Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token. Less extreme measures include
extortion Extortion is the practice of obtaining benefit through . In most jurisdictions it is likely to constitute a ; the bulk of this article deals with such cases. is the simplest and most common form of extortion, although making unfounded threat ...
, rubber hose cryptanalysis, and
side channel attack Side or Sides may refer to: Geometry * Edge (geometry) :''For edge in graph theory In mathematics, graph theory is the study of ''graph (discrete mathematics), graphs'', which are mathematical structures used to model pairwise relations betwee ...

side channel attack
. Some specific password management issues that must be considered when thinking about, choosing, and handling, a password follow.


Rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts, also known as throttling. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords if they have been well chosen and are not easily guessed. Many systems store a
cryptographic hash ) at work. A small change in the input (in the word "over") drastically changes the output (digest). This is the so-called avalanche effect In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ...
of the password. If an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. In the example of a web-server, an online attacker can guess only at the rate at which the server will respond, while an off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running. Passwords that are used to generate cryptographic keys (e.g., for
disk encryptionDisk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software Disk encryption software is computer security sof ...
or
Wi-Fi Wi-Fi () is a family of wireless network A wireless network is a computer network that uses wireless data connections between network nodes. Wireless networking is a method by which homes, telecommunications networks and business installatio ...

Wi-Fi
security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See
Password cracking In cryptanalysis cipher machine Cryptanalysis (from the Greek language, Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information system An information system (IS) is a formal, sociotechnica ...
.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See
key stretching In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix In linguistics Linguistics is the science, scientific study of la ...
.


Limits on the number of password guesses

An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner. Attackers may conversely use knowledge of this mitigation to implement a
denial of service attack In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes and development of both computer hardware , hardware and soft ...

denial of service attack
against the user by intentionally locking the user out of their own device; this denial of service may open other avenues for the attacker to manipulate the situation to their advantage via social engineering.


Form of stored passwords

Some computer systems store user passwords as
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphe ...
, against which to compare user logon attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well. More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible. The most secure don't store passwords at all, but a one-way derivation, such as a
polynomial In mathematics Mathematics (from Ancient Greek, Greek: ) includes the study of such topics as quantity (number theory), mathematical structure, structure (algebra), space (geometry), and calculus, change (mathematical analysis, analysis). I ...

polynomial
, modulus, or an advanced
hash function A hash function is any function Function or functionality may refer to: Computing * Function key A function key is a key on a computer A computer is a machine that can be programmed to carry out sequences of arithmetic or logical ...
. Roger Needham invented the now-common approach of storing only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a
cryptographic hash ) at work. A small change in the input (in the word "over") drastically changes the output (digest). This is the so-called avalanche effect In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ...
algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a
cryptographic hash function A cryptographic hash function A hash function is any function Function or functionality may refer to: Computing * Function key A function key is a key on a computer A computer is a machine that can be programmed to carry out s ...
to a string consisting of the submitted password and, in many implementations, another value known as a
salt Salt is a mineral composed primarily of sodium chloride (NaCl), a chemical compound belonging to the larger class of Salt (chemistry), salts; salt in its natural form as a crystallinity, crystalline mineral is known as rock salt or halite. Sa ...
. A salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users. and SHA1 are frequently used cryptographic hash functions, but they are not recommended for password hashing unless they are used as part of a larger construction such as in
PBKDF2 In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation functions with a sliding computational cost, used to reduce vulnerabilities of brute-force attacks. PBKDF2 is part of RSA Laboratories' Publi ...
.Alexander, Steven. (2012-06-20
The Bug Charmer: How long should passwords be?
. Bugcharmer.blogspot.com. Retrieved on 2013-07-30.
The stored data—sometimes called the "password verifier" or the "password hash"—is often stored in Modular Crypt Format or RFC 2307 hash format, sometimes in the /etc/passwd file or the /etc/shadow file. The main storage methods for passwords are plain text, hashed, hashed and salted, and reversibly encrypted.Florencio et al.
An Administrator's Guide to Internet Password Research
. (pdf) Retrieved on 2015-03-14.
If an attacker gains access to the password file, then if it is stored as plain text, no cracking is necessary. If it is hashed but not salted then it is vulnerable to
rainbow table A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain ...
attacks (which are more efficient than cracking). If it is reversibly encrypted then if the attacker gets the decryption key along with the file no cracking is necessary, while if he fails to get the key cracking is not possible. Thus, of the common storage formats for passwords only when passwords have been salted and hashed is cracking both necessary and possible. If a cryptographic hash function is well designed, it is computationally infeasible to reverse the function to recover a
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphe ...
password. An attacker can, however, use widely available tools to attempt to guess the passwords. These tools work by hashing possible passwords and comparing the result of each guess to the actual password hashes. If the attacker finds a match, they know that their guess is the actual password for the associated user. Password cracking tools can operate by brute force (i.e. trying every possible combination of characters) or by hashing every word from a list; large lists of possible passwords in many languages are widely available on the Internet. The existence of
password cracking In cryptanalysis cipher machine Cryptanalysis (from the Greek language, Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information system An information system (IS) is a formal, sociotechnica ...
tools allows attackers to easily recover poorly chosen passwords. In particular, attackers can quickly recover passwords that are short, dictionary words, simple variations on dictionary words, or that use easily guessable patterns. A modified version of the DES algorithm was used as the basis for the password hashing algorithm in early
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser Multi-user software is computer software Software is a collection of Instruction (computer science), instructions and data (computing), data that tell a computer how to ...

Unix
systems. The
crypt A crypt (from Latin Latin (, or , ) is a classical language belonging to the Italic languages, Italic branch of the Indo-European languages. Latin was originally spoken in the area around Rome, known as Latium. Through the power of the Roma ...
algorithm used a 12-bit salt value so that each user's hash was unique and iterated the DES algorithm 25 times in order to make the hash function slower, both measures intended to frustrate automated guessing attacks. The user's password was used as a key to encrypt a fixed value. More recent Unix or Unix-like systems (e.g.,
Linux Linux ( or ) is a family of open-source Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to a ...

Linux
or the various
BSD The Berkeley Software Distribution (BSD) is a discontinued based on , developed and distributed by the (CSRG) at the . The term "BSD" commonly refers to its descendants, including , , , and . BSD was initially called Berkeley Unix because it ...

BSD
systems) use more secure password hashing algorithms such as
PBKDF2 In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation functions with a sliding computational cost, used to reduce vulnerabilities of brute-force attacks. PBKDF2 is part of RSA Laboratories' Publi ...
,
bcrypt bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish (cipher), Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt (cryptography), salt to protect against rainbow tab ...

bcrypt
, and
scrypt In cryptography, scrypt (pronounced "ess crypt") is a password-based key derivation function created by Colin Percival, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly to perform larg ...
, which have large salts and an adjustable cost or number of iterations. A poorly designed hash function can make attacks feasible even if a strong password is chosen. See
LM hash LAN Manager was a network operating system (NOS) available from multiple vendors and developed by Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company with headquarters in Redmond, Washin ...
for a widely deployed and insecure example.


Methods of verifying a password over a network


Simple transmission of the password

Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by
wiretapping Telephone tapping (also wire tapping or wiretapping in American English American English (AmE, AE, AmEng, USEng, en-US), sometimes called United States English or U.S. English, is the set of varieties of the English language native to the ...
methods. If it is carried as packeted data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection. Email is sometimes used to distribute passwords but this is generally an insecure method. Since most email is sent as
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphe ...
, a message containing a password is readable without effort during transport by any eavesdropper. Further, the message will be stored as
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphe ...
on at least two computers: the sender's and the recipient's. If it passes through intermediate systems during its travels, it will probably be stored on there as well, at least for some time, and may be copied to
backup In information technology, a backup, or data backup is a copy of computer data Data (treated as singular, plural, or as a mass noun) is any sequence of one or more symbol A symbol is a mark, sign, or word that indicates, signifies, or i ...

backup
,
cache Cache, caching, or caché may refer to: Places * Cache (Aosta) Cache is a frazione of the city of Aosta, in the Aosta Valley region of Italy. Frazioni of Aosta Valley Aosta {{Aosta-geo-stub ..., a frazione in Italy * Cache Creek (disambig ...
or history files on any of these systems. Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in clear text.


Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of third ...

cryptographic
protection. The most widely used is the
Transport Layer Security Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer Transport Layer Security (TLS), and its now-deprecated predecesso ...
(TLS, previously called
SSLSSL may refer to: Entertainment * RoboCup Small Size League * ''Sesame Street Live ''Sesame Street Live'' is a live touring show based on the children's television show ''Sesame Street'' produced by Feld Entertainment. History The VStar Entertain ...
) feature built into most current Internet
browsers Browse, browser or browsing may refer to: Programs *Web browser, a program used to access the World Wide Web *Code browser, a program for navigating source code *File browser or file manager, a program used to manage files and related objects *Har ...

browsers
. Most browsers alert the user of a TLS/SSL-protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use. There are several other techniques in use; see
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix in the English language, used with words originally adapted from Ancient Greek ending in (''- ...

cryptography
.


Hash-based challenge–response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-based
challenge–response authentication In computer security, challenge–response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authentication, authenticated. The simplest ex ...
; the latter requires a client to prove to a server that they know what the
shared secret In cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix In linguistics Linguistics is the science, scientific study of lan ...

shared secret
(i.e., password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On many systems (including
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser Multi-user software is computer software Software is a collection of Instruction (computer science), instructions and data (computing), data that tell a computer how to ...

Unix
-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; they only need the hash.


Zero-knowledge password proofs

Rather than transmitting a password, or transmitting the hash of the password,
password-authenticated key agreementIn cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in th ...
systems can perform a
zero-knowledge password proof In cryptography, a zero-knowledge password proof (ZKPP) is an interactive method for one party (the prover) to prove to another party (the verifier) that it knows a value of a password, without revealing anything other than the fact that it knows th ...
, which proves knowledge of the password without exposing it. Moving a step further, augmented systems for
password-authenticated key agreementIn cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in th ...
(e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.


Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database and if the new password is given to a compromised employee, little is gained. Some websites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.
Identity management Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies to ensure that the right users (in an enterprise) have the appropriate access to technology resources. IdM systems f ...
systems are increasingly used to automate the issuance of replacements for lost passwords, a feature called
self-service password reset Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without ca ...
. The user's identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened). Some password reset questions ask for personal information that could be found on social media, such as mother's maiden name. As a result, some security experts recommend either making up one's own questions or giving false answers.


Password longevity

"Password aging" is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often). Such policies usually provoke user protest and foot-dragging at best and hostility at worst. There is often an increase in the number of people who note down the password and leave it where it can easily be found, as well as help desk calls to reset a forgotten password. Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable. Because of these issues, there is some debate as to whether password aging is effective. Changing a password will not prevent abuse in most cases, since the abuse would often be immediately noticeable. However, if someone may have had access to the password through some means, such as sharing a computer or breaching a different site, changing the password limits the window for abuse.


Number of users per password

Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult, as for instance on graduation or resignation. Separate logins are also often used for accountability, for example to know who changed a piece of data.


Password security architecture

Common techniques used to improve the security of computer systems protected by a password include: * Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•). * Allowing passwords of adequate length. (Some
legacy In law, a legacy is something held and transferred to someone as their inheritance Inheritance is the practice of passing on private property, Title (property), titles, debts, entitlements, Privilege (law), privileges, rights, and Law of obligat ...
operating systems, including early versions of Unix and Windows, limited passwords to an 8 character maximum,"Ten Windows Password Myths"
: "NT dialog boxes ... limited passwords to a maximum of 14 characters"
reducing security.) * Requiring users to re-enter their password after a period of inactivity (a semi log-off policy). * Enforcing a
password policy A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a ...
to increase
password strength Password strength is a measure of the effectiveness of a password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity. Using the terminology of the NIST D ...
and security. ** Assigning randomly chosen passwords. ** Requiring minimum password lengths. ** Some systems require characters from various character classes in a password—for example, "must have at least one uppercase and at least one lowercase letter". However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords. ** Employ a password blacklist to block the use of weak, easily guessed passwords ** Providing an alternative to keyboard entry (e.g., spoken passwords, or
biometric Biometrics are body measurements and calculations related to human characteristics. Biometrics authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an ...

biometric
identifiers). ** Requiring more than one authentication system, such as two-factor authentication (something a user has and something the user knows). * Using encrypted tunnels or
password-authenticated key agreementIn cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in th ...
to prevent access to transmitted passwords via network attacks * Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of
denial of service attack In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes and development of both computer hardware , hardware and soft ...

denial of service attack
. * Introducing a delay between password submission attempts to slow down automated password guessing programs. Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.


Password reuse

It is common practice amongst computer users to reuse the same password on multiple sites. This presents a substantial security risk, because an
attacker In some team sport A team is a usernames,_and_by_websites_requiring_email_logins,_as_it_makes_it_easier_for_an_attacker_to_track_a_single_user_across_multiple_sites._Password_reuse_can_be_avoided_or_minimised_by_using_ usernames,_and_by_websites_requiring_email_logins,_as_it_makes_it_easier_for_an_attacker_to_track_a_single_user_across_multiple_sites._Password_reuse_can_be_avoided_or_minimised_by_using_Mnemonic">mnemonic_techniques,_#Writing_down_passwords_on_paper.html" ;"title="Mnemonic.html" ;"title="User_(computing).html" ;"title="roup (disambiguation), group of individuals (human or non-human) working together to achieve their goal. As defined by Professor Leigh Thompson (academic), Leigh Thompson of the Kellogg School of Management, ...
needs to only compromise a single site in order to gain access to other sites the victim uses. This problem is exacerbated by also reusing User (computing)">usernames, and by websites requiring email logins, as it makes it easier for an attacker to track a single user across multiple sites. Password reuse can be avoided or minimised by using Mnemonic">mnemonic techniques, #Writing down passwords on paper">writing passwords down on paper, or using a
password manager A password manager is a computer program that allows users to store, generate, and manage their password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity ...
. It has been argued by Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, that password reuse is inevitable, and that users should reuse passwords for low-security websites (which contain little personal data and no financial information, for example) and instead focus their efforts on remembering long, complex passwords for a few important accounts, such as bank accounts. Similar arguments were made by Forbes in not change passwords as often as many "experts" advise, due to the same limitations in human memory.


Writing down passwords on paper

Historically, many security experts asked people to memorize their passwords: "Never write down a password". More recently, many security experts such as
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman-Klein Cente ...
recommend that people use passwords that are too complicated to memorize, write them down on paper, and keep them in a wallet."Ten Windows Password Myths"
: Myth #7. You Should Never Write Down Your Password
Password manager A password manager is a computer program that allows users to store, generate, and manage their password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity ...
software can also store passwords relatively safely, in an encrypted file sealed with a single master password.


After death

According to a survey by the
University of London The University of London (UoL; abbreviated as Lond or more rarely Londin in post-nominals Post-nominal letters, also called post-nominal initials, post-nominal titles, designatory letters or simply post-nominals, are letters placed after a p ...
, one in ten people are now leaving their passwords in their wills to pass on this important information when they die. One-third of people, according to the poll, agree that their password-protected data is important enough to pass on in their will.


Multi-factor authentication

Multi-factor authentication schemes combine passwords (as "knowledge factors") with one or more other means of authentication, to make authentication more secure and less vulnerable to compromised passwords. For example, a simple two-factor login might send a text message, e-mail, automated phone call, or similar alert whenever a login attempt is made, possibly supplying a code that must be entered in addition to a password. More sophisticated factors include such things as hardware tokens and biometric security.


Password rules

Most organizations specify a
password policy A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a ...
that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g., upper and lower case, numbers, and special characters), prohibited elements (e.g., use of one's own name, date of birth, address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords. Many websites enforce standard rules such as minimum and maximum length, but also frequently include composition rules such as featuring at least one capital letter and at least one number/symbol. These latter, more specific rules were largely based on a 2003 report by the
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is a physical sciences Physical science is a branch of natural science that studies abiotic component, non-living systems, in contrast to life science. It in turn has many branches, e ...
(NIST), authored by Bill Burr.Hate silly password rules? So does the guy who created them
''ZDNet''
It originally proposed the practice of using numbers, obscure characters and capital letters and updating regularly. In a 2017 ''
Wall Street Journal ''The Wall Street Journal'', also known as ''The Journal'', is an American business-focused, English-language international daily newspaper A newspaper is a periodical Periodical literature (also called a periodical publication or simpl ...

Wall Street Journal
'' article, Burr reported he regrets these proposals and made a mistake when he recommended them. According to a 2017 rewrite of this NIST report, many websites have rules that actually have the opposite effect on the security of their users. This includes complex composition rules as well as forced password changes after certain periods of time. While these rules have long been widespread, they have also long been seen as annoying and ineffective by both users and cyber-security experts.Experts Say We Can Finally Ditch Those Stupid Password Rules
''Fortune''
The NIST recommends people use longer phrases as passwords (and advises websites to raise the maximum password length) instead of hard-to-remember passwords with "illusory complexity" such as "pA55w+rd". A user prevented from using the password "password" may simply choose "Password1" if required to include a number and uppercase letter. Combined with forced periodic password changes, this can lead to passwords that are difficult to remember but easy to crack. Paul Grassi, one of the 2017 NIST report's authors, further elaborated: "Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good." Pieris Tsokkis and Eliana Stavrou were able to identify some bad password construction strategies through their research and development of a password generator tool. They came up with eight categories of password construction strategies based on exposed password lists, password cracking tools, and online reports citing the most used passwords. These categories include user-related information, keyboard combinations and patterns, placement strategy, word processing, substitution, capitalization, append dates, and a combination of the previous categories


Password cracking

Attempting to crack passwords by trying as many possibilities as time and money permit is a
brute force attack Brute or The Brute may refer to: People * Brute, a pseudonym of English commercial artist Aidan Hughes (born 1956) * "Brute", nickname of US Marine Corps Lieutenant General Victor H. Krulak (1913–2008) * Brute Bernard, ring name of Canadian ...
. A related method, rather more efficient in most cases, is a
dictionary attack In cryptanalysis and computer security, a dictionary attack is a form of Brute-force attack, brute force attack technique for defeating a cipher or Authentication protocol, authentication mechanism by trying to determine its decryption key or pass ...
. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
Password strength Password strength is a measure of the effectiveness of a password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity. Using the terminology of the NIST D ...
is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or 'hardness' in terms of
entropy Entropy is a scientific concept as well as a measurable physical property that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamic ...
. Passwords easily discovered are termed ''weak'' or ''vulnerable''; passwords very difficult or impossible to discover are considered ''strong''. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as
L0phtCrack L0phtCrack is a password A password, sometimes called a passcode (for example in Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are th ...
,
John the Ripper John the Ripper is a free password cracking In cryptanalysis cipher machine Cryptanalysis (from the Greek language, Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") is the study of analyzing information system An information s ...
, and
Cain Cain ''Káïn''; ar, قابيل/قايين, Qābīl/Qāyīn is a Biblical figure in the Book of Genesis within Abrahamic religions. He is the elder brother of Abel, and the firstborn son of Adam and Eve, the First man or woman, first couple with ...
; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users. Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically. For example, Columbia University found 22% of user passwords could be recovered with little effort. According to
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman-Klein Cente ...
, examining data from a 2006 phishing attack, 55% of MySpace passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006. He also reported that the single most common password was ''password1'', confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.)


Incidents

* On July 16, 1998, CERT Coordination Center, CERT reported an incident where an attacker had found 186,126 encrypted passwords. At the time the attacker was discovered, 47,642 passwords had already been cracked. * In September, 2001, after the deaths of 960 New York employees in the September 11 attacks, financial services firm Cantor Fitzgerald through Microsoft broke the passwords of deceased employees to gain access to files needed for servicing client accounts. Technicians used brute-force attacks, and interviewers contacted families to gather personalized information that might reduce the search time for weaker passwords. * In December 2009, a major password breach of the RockYou, Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in cleartext in the database and were extracted through a SQL injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords. * In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data was leaked as part of Operation AntiSec, a movement that includes Anonymous (group), Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary. * On July 11, 2011, Booz Allen Hamilton, a consulting firm that does work for the Pentagon, had their servers hacked by Anonymous (group), Anonymous and leaked the same day. "The leak, dubbed 'Military Meltdown Monday,' includes 90,000 logins of military personnel—including personnel from United States Central Command, USCENTCOM, United States Special Operations Command, SOCOM, the United States Marine Corps, Marine corps, various United States Air Force, Air Force facilities, Homeland Security, United States State Department, State Department staff, and what looks like private sector contractors." These leaked passwords wound up being hashed in SHA1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.


Alternatives to passwords for authentication

The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative. A 2012 paper examines why passwords have proved so hard to supplant (despite numerous predictions that they would soon be a thing of the past); in examining thirty representative proposed replacements with respect to security, usability and deployability they conclude "none even retains the full set of benefits that legacy passwords already provide." * One-time password, Single-use passwords. Having passwords that are only valid once makes many potential attacks ineffective. Most users find single-use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as TAN (banking), Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single-use issue has not led to intolerable customer dissatisfaction in this case. * Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so. * PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server-generated challenge image shown on the user's screen. * Access controls based on public-key cryptography e.g. Secure Shell, ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze) and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk. The private key may be stored on a cloud service provider, and activated by the use of a password or two-factor authentication. * Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan, for example, fingerprints, iris (anatomy), irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration, and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure. * Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve users and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed. * Envaulting technology is a password-free way to secure data on removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user's access to a network resource. * Non-text-based passwords, such as graphical passwords or mouse-movement based passwords. Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of Letter (alphabet), letters, numerical digit, digits or special characters. One system requires users to select a series of faces as a password, utilizing the human brain's ability to face perception, recall faces easily. In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access. Another graphical password solution creates a one-time password using a randomly generated grid of images. Each time the user is required to authenticate, they look for the images that fit their pre-chosen categories and enter the randomly generated alphanumeric character that appears in the image to form the one-time password. So far, graphical passwords are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world. While some believe that graphical passwords would be harder to Password cracking, crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords. * 2D Key (2-Dimensional Key) is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography) using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key. * Cognitive passwords use question and answer cue/response pairs to verify identity.


"The password is dead"

That "the password is dead" is a recurring idea in
computer security Computer security, cybersecurity, or information technology security (IT security) is the protection of computer system A computer is a machine that can be programmed to carry out Sequence, sequences of arithmetic or logical operations ...
. The reasons given often include reference to the usability as well as security problems of passwords. It often accompanies arguments that the replacement of passwords by a more secure means of authentication is both necessary and imminent. This claim has been made by numerous people at least since 2004. Alternatives to passwords include biometrics, two-factor authentication or
single sign-on Single may refer to: Arts, entertainment, and media * Single (music), a song release Songs * Single (Natasha Bedingfield song), "Single" (Natasha Bedingfield song), 2004 * Single (New Kids on the Block and Ne-Yo song), "Single" (New Kids on the B ...
, Microsoft's Cardspace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals. However, in spite of these predictions and efforts to replace them passwords are still the dominant form of authentication on the web. In "The Persistence of Passwords," Cormac Herley and Paul van Oorschot suggest that every effort should be made to end the "spectacularly incorrect assumption" that passwords are dead. They argue that "no other single technology matches their combination of cost, immediacy and convenience" and that "passwords are themselves the best fit for many of the scenarios in which they are currently used." Following this, Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while ''every'' scheme does worse than passwords on deployability. The authors conclude with the following observation: "Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery."


See also

* Access code (disambiguation) * Authentication * CAPTCHA * Cognitive science * Diceware * Kerberos (protocol) * Keyfile * Passphrase * Secure Password Sharing *
Password cracking In cryptanalysis cipher machine Cryptanalysis (from the Greek language, Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information system An information system (IS) is a formal, sociotechnica ...
* Password fatigue * Password length parameter *
Password manager A password manager is a computer program that allows users to store, generate, and manage their password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity ...
* Password notification e-mail * Password policy * Password psychology *
Password strength Password strength is a measure of the effectiveness of a password A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm a user's identity. Using the terminology of the NIST D ...
* Password synchronization * Password-authenticated key agreement * Pre-shared key * Random password generator * Rainbow table * Self-service password reset * Usability of web authentication systems


References


External links


Graphical Passwords: A Survey

Large list of commonly used passwords





The international passwords conference

Procedural Advice for Organisations and Administrators
(PDF)
Centre for Security, Communications and Network Research
University of Plymouth (PDF)

for the U.S. federal government
Memorable and secure password generator
{{Authority control Password authentication Identity documents Security