The Problems with Passwords

Written by ArticSoft -


Most current password systems forrepparttar Internet are flawed. Designs that were almost acceptable 10 and 15 years ago have not been updated. Instead of moving to integrating authentication services under a cryptographically sound approachrepparttar 107785 IT industry has continued to proliferate multiple incompatible systems. Users are increasingly exposed by suppliers who feel no pressure to do anything better. There are parallels withrepparttar 107786 situation where web site page design methods are increasingly being rejected by security software because they represent known security weaknesses that have been exploited by hackers and viruses.


The approach to using a log on identifier and password goes back torepparttar 107787 early days implementing security on mainframe systems. This kind of security was introduced as soon as it was possible for people outsiderepparttar 107788 computer room to be able to use computer resources. Up until then access was controlled by physical security.

As we rolled terminals out into user areas, sorepparttar 107789 ID/password concept was rolled out also. Initially these were held in a file that was not protected, but after some splendid security breaches on Unix systems in particular these files were encrypted to make an attacker work harder to get anywhere.

Passwords were short (6 characters). They were short becauserepparttar 107790 ID would be disabled ifrepparttar 107791 password was entered three times incorrectly. They were also short so you didn’t have much to type and would likely get it right. They were short because it gave you less to remember.

Initial design considerations

Experience with short passwords soon threw up a series of flaws for user implementation. In no particular order these included:

using a ‘standard’ word such as boss, master, doall, passwd; using a dictionary word orrepparttar 107792 name ofrepparttar 107793 business; using repeating letters or numerals (AAAAAA, 111111 and so on).

Six characters were also found to be just about short enough for someone to watch and remember whilstrepparttar 107794 user typed them in.

To counterrepparttar 107795 users attempts to make their lives easier, systems were invented that changed passwords on a regular basis (say monthly, and even daily for critical passwords), compelledrepparttar 107796 new password to be different, and checked it against a list of previously used passwords. More sophisticated systems enforced rules requiring passwords to be structured using letters and digits in non-repeating patterns.

These approaches more or less forced users to break other security rules and write down their passwords – particularly if they had several to ‘remember’. (I recall a ‘classic’ case where a user was being expected to remember more than 20 passwords, some of which wererepparttar 107797 only way to access encrypted documents. Naturally they did not listen torepparttar 107798 ideas of regular change and remembering everything.)

The security people continued to ignorerepparttar 107799 problems faced by human users. ID/password systems were not integrated followingrepparttar 107800 argument that a compromise of one system must not compromise all systems. (This was then ignored inrepparttar 107801 attempts to find a system that would securely connect a user to all their applications with just one password.) Applications designers have continued to implement their own ideas about user identification - or none at all by makingrepparttar 107802 assumption that magic would somehow occur outside their control.

There continues therefore to be a central dichotomy between those who want short passwords that are forever changing and those who want one password that a user can remember, but it cannot be short and it must be memorable.

Technical design problems

Early password systems restricted user choice to upper case and numerals, thus givingrepparttar 107803 attacker a much reduced space of attack (the permutations and combinations of valid input data). Later systems used upper and lower case and this improved things a bit in terms ofrepparttar 107804 number of attemptsrepparttar 107805 attacker had to make before he could find it by ‘brute force’ (still not all eight bits of each byte since not everything is onrepparttar 107806 keyboard).

Later systems convertedrepparttar 107807 password into a ‘hash’ or one way encrypted field so that it could not be readily reverse engineered by an attacker. Unfortunatelyrepparttar 107808 hashing systems were not necessarily very effective, and even when they were,repparttar 107809 amount of space they give you is not that large andrepparttar 107810 attacker can choose any password that gives them a valid hash, not justrepparttar 107811 onerepparttar 107812 user selected. Please note that when passwords are used on their own (that is without a separate Identity field),repparttar 107813 attack space is reduced byrepparttar 107814 number of passwords that have actually been issued, since forrepparttar 107815 attacker any valid password is good enough.

Even later some subtle systems combinedrepparttar 107816 user id andrepparttar 107817 password into a hash. This createdrepparttar 107818 potential for more space, althoughrepparttar 107819 length of both parts andrepparttar 107820 way that they were combined was critical torepparttar 107821 quality ofrepparttar 107822 result.

Your Computer Can't Keep Time

Written by Stephen Bucaro

---------------------------------------------------------- Permission is granted forrepparttar below article to forward, reprint, distribute, use for ezine, newsletter, website, offer as free bonus or part of a product for sale as long as no changes are made andrepparttar 107784 byline, copyright, andrepparttar 107785 resource box below is included. ----------------------------------------------------------

Your Computer Can't Keep Time

By Stephen Bucaro

A computer needs a certain amount of information to operate; for example,repparttar 107786 date and time,repparttar 107787 amount of memory installed,repparttar 107788 number of drives and their configuration, and so on. Inrepparttar 107789 early days of computers, eitherrepparttar 107790 user typed in this information each timerepparttar 107791 computer started, or it was set using DIP switches and jumpers. Today, computers store this information in a CMOS chip that uses a small battery to retainrepparttar 107792 information whenrepparttar 107793 computer is shut off.

CMOS (complementary metal oxide semiconductor) is type of chip that consumes very little power; therefore, whilerepparttar 107794 computer is turned off,repparttar 107795 battery discharges very slowly. Butrepparttar 107796 battery will totally discharge if you leave your computer turned off for a year or so. Even if you turn your computer on every day,repparttar 107797 battery is designed to last only a couple of years. Occasionally a battery will fail prematurely.

Today's plug-and-play computers can detect most ofrepparttar 107798 necessary settings, but if your CMOS battery is dead, your computer will not be able to retainrepparttar 107799 date and time. The computer will also lose any custom settings, for example,repparttar 107800 boot sequence. If you set a password in CMOS, you may be locked out ofrepparttar 107801 computer. Ifrepparttar 107802 CMOS battery does fail, you might receiverepparttar 107803 message "System Configuration Lost" when you startrepparttar 107804 computer. It would be wise to record allrepparttar 107805 CMOS settings as a precaution.

To recordrepparttar 107806 CMOS settings, watch for an on-screen prompt when you first start your computer. The prompt tells you to press a key, usuallyrepparttar 107807 Del or F2, to enter CMOS. To enterrepparttar 107808 CMOS configuration utility, you have to pressrepparttar 107809 indicated key whilerepparttar 107810 message is onrepparttar 107811 screen. Afterrepparttar 107812 CMOS configuration screen appears, followrepparttar 107813 instructions provided to page through allrepparttar 107814 screens and record allrepparttar 107815 settings.

Cont'd on page 2 ==> © 2005
Terms of Use