HomePage | Recent changes | View source | Discuss this page | Page history | Log in |

Printable version | Disclaimers | Privacy policy

A common means of validating the authenticity of an user (any entity human or otherwise) within a system by it supplying a piece of information (the password) as credentials. This implies that the user is authentic in that only that it (or possibly a group of them) should have knowledge of the password.
Examples include logons to computer systems such as [e-mail] servers; a spy proving his identity with a code word or using a keypad to unlock a secured door.
Despite the name there is no need (unless a particular system requires it) for passwords to be real words, indeed they are frequently stronger if they are not.
A passcode would imply that the information used is purely numeric, such as the PIN used for ATM access
Note that password is often used to describe what would be more accurately called a pass phrase

The security of a password protected system against illegitimate entry depends on several factors but they all relate to keeping the password completely secret.

  • How often the password can be used to validate the user. If it is only once then many potential security exploits would be rendered ineffective.
  • The underlying medium / method of passing the password from the user to the authenticator
    • See cryptography for ways in which the passing of information can be made more secure.
    • snooper describes the type of attack which would attempt to exploit vulnerabilities at this point.
  • What procedures the system provides for changing a compromised password
    • This would include pro-active measures such as automatic expiry of passwords in case a password is compromised without the user of the system being aware of this.
  • How easily the password can be guessed / discovered by an attacker.
    • Often the password must be entered by a human user, to allow easy recall of the password a 'meaningful' value is frequently chosen. Their year of birth, spouse's/child's/pet's or telephone number name are all obvious choices to the user and attacker alike.
    • Conversely if the user selects a less obvious password then, to assist in remembering it, they may write it down somewhere (A post it note on their monitor being a strangely popular choice) thus compromising the security of the system.
    • The process of obtaining passwords by manipulation of people is an example of social engineering.
  • Whether or not the authenticator actually knows the plain password itself
    • If the authenticator stores the password in an encrypted form then access to the password is more secure whilst validation remains possible thanks again to cryptography

Despite encryption procedures providing increased security tools exist to break them. These dictionary attack tools demonstrate the relative strengths of different password choices. Such a brute force attack all, or a sizable subset of all, of the possible passwords are checked. A weak password would be one that was short or which could be rapidly guessed by searching a subset such as words in the dictionary, proper names or common variations on these themes. A strong password would be sufficiently long, random or meaningful only to the user who choose it that guessing it will require trying all possible values, no benefit would be got from the directed approach that succeeds on the weak passwords.

If even the possibility exists that the password was known to any other than those with legitimate access it should be considered compromised. This means that purely password based systems have many potential security flaws and exploits. Therefore many modern systems are including additional checks using systems based on biometric technology or the use of smart cards

A well known example of a dictionary attack is L0phtCrack