Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

 

 

Passwords

Related Entries    Web Links    New/Updated Information

  
Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

A password is a secret code required to log on or access a secure system. A password is used in conjunction with an account name. Normally, a password is assigned to a user account in advance by a network administrator or automatically by a security system. The user may be allowed to change this password the first time they log on.

User accounts, account names, and passwords are part of AAA (authentication, authorization, and accounting) schemes. Authorization is the act of verifying the identity of a user attempting to log on. Once authenticated, users are allowed to access network resources based on previously assigned authorizations. Accounting is the act of collecting information about resource usage for auditing and billing purposes.

Microsoft Windows desktop systems provide an opportunity for users to enter a logon name and password. Many people bypass this feature, but it is important if you log on to secure systems on local or remote networks. What the logon account does is securely store passwords that are used to access other systems. The option "remember this password" is available when logging on to servers and sites. If the user does not enter a logon name and password when starting Windows, this feature is disabled since Windows doesn't know who is using the system.

Obviously, passwords must be kept secure. They should never be written down. Real words should always be avoided, as they are susceptible to dictionary attacks. A dictionary attack occurs when a hacker uses an automated program to try every word in the dictionary, plus other slang words, abbreviations, and so on.

While passwords like "Qp&yTxT8e3" are secure, they are also extremely difficult to remember. A more effective method is to create a phrase and use the first letter of each word as the password. For example, the password "Mbiot4oJ" is derived from "My birthday is on the 4th of July." A mix of uppercase and lowercase letters and numbers strengthens the password.

So-called "Trojan horse" programs are programs that some unscrupulous person installs on a computer to capture passwords as they are typed in by unsuspecting users. The program is often installed when people leave their computers unattended. Users should beware of executable programs sent via e-mail from unknown sources. Unsuspecting users who run these executables may see some funny or interesting program on their screen, but in the background the program may be installing a monitoring utility that sends captured passwords or other information via e-mail to a hacker!

Clear-text passwords should never be sent across communication channels that can be tapped. This includes all networks and the Internet. Anyone with a monitoring tool (packet sniffer) can watch for packets that contain passwords and capture the passwords for later use. Encryption is a good idea, but even better are techniques such as CHAP that never send passwords across the line. CHAP uses a scheme that only requires that users prove they know the password without actually sending the password. See "CHAP (Challenge Handshake Authentication Protocol)."

So far, the assumption has been that passwords are reusable-the same password is used over and over again. But such a password can be discovered or monitored, and reused by an unauthorized person at a later time. See "One-Time Password Authentication" and "Token-Based Authentication" for alternative authentication techniques.

RFC 1439 (The Uniqueness of Unique Identifiers, March 1993) provides useful information about identifying unique user names and passwords. RFC 2196 (Site Security Handbook, September 1997) provides information on passwords and authentication techniques.




Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.