This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Password Authentication is Broken
Password Authentication is Broken

Version management

Difference between version and

At line 1 added 51 lines
!!! Overview
[{$pagename}]
[Password Authentication], [PIN]-based and other [Knowledge Factor] [authentication] have numerous deficiencies. Unfortunately, many security systems are designed such that [Authentication] relies entirely on a [Knowledge Factor].
Many "Security Experts" point out that weak [passwords] are the most common cause for system [Exploits].
Almost every one agrees [{$pagename}]. The sheer number of [Password] [Attacks] in the last years shows it is at least not working. Perhaps it is all an implementation issue and perhaps it is the conflict between [usability] work with [passwords] and [Password-composition Policy|Password Modification Policy] or perhaps it is the [heuristic Attacks] have gotten better.
!! A little about [Passwords]
The [password], then, functions like the key to a lock; [anyone who has it can get in|Bearer]. This means the password can easily become the __weak__ link in a company’s network security plan, because [passwords] can be "cracked," [guessed|Brute-Force], stolen or deliberately shared.
The "Security Experts" but the burden on the [user] saying "It is important for individual users to safeguard their passwords [Best Practices Password] and for [Organizational Entity] to develop a [Password Policy] that mandate that such practices be followed.
!! Precise Recall
The main weakness of [knowledge Factor] [authentication] is that it relies on __precise recall__ of the [Credential] information. If the [user] makes a small error in entering the [Credential], the [authentication] fails. Unfortunately, precise recall is a [Human Limitation]. People are much better at imprecise recall, particularly in recognition of previously experienced stimuli.
[Human Element] of precise recall is in direct conflict with the requirements of strong [passwords]. Many [Password Statistics] show that people pick easy to guess [passwords]. Furthermore, they found that 85% of all [passwords] could be trivially broken through a simple exhaustive search to find short passwords and by using a [dictionary|Password Dictionary] to find longer ones.
By enforcing [Password Policy] required users need to create unpredictable [passwords], which are more difficult to memorize. As a result, users often write their passwords down and hide them close to their work space. These strict [Password Policy] insisting on [Password Quality], such as forcing users to change [passwords periodically|Password Expiration], only increase the number of users who write them down to aid memorability.
As companies try to increase the security of their IT infrastructure, the number of [password] protected areas is growing. Simultaneously, the number of [Websites] which require a username and [password] combination is also increasing. To cope with this, users employ similar or [identical passwords|Password Reuse] for different purposes, which reduces the security of the [password] to that of the weakest link.
!! Most Proposed Solutions Fail
The majority of solutions to the problems of weak [passwords] fall into three main categories:
* The first types of solutions are proactive security measures that aim to identify weak passwords before they are broken by constantly running a password cracking programs
* The second type of solution is also technical in nature, which utilizes techniques to increase the computational overhead of cracking passwords
* The third class of solutions involves user training and education to raise security awareness and establishing security guidelines and [Password-composition Policy|Password Modification Policy] for users to follow.
%%information
All three classes of solutions do not remedy the main cause of [password] insecurity, which is the [Human Limitation] of for __Precise Recall__ of [Credentials].
%%
!! [Credential Vaults]
[Credential Vaults] are also a proposed solution where the user only needs one [credential] to open the [Credential Vault]. The [Credential Vault] [Application] can then, in at least a lot of cases, provide a "Strong" [credential] for use at the [website].
However, the [Credential Vaults] are a [Password Anti-Pattern] where the password is now a [Shared Secret] with yet another party which increases the [vulnerability] and the points that [attacker] may [exploit]
And that is why we see these type of [Password Statistics]
!! Funny [Password] [Use cases]
* [Passwords revealed by sweet deal|http://news.bbc.co.uk/2/hi/technology/3639679.stm|target='_blank']
* [What is Your Password?|https://youtu.be/opRMrEfAIiI|target='_blank']
* [Social engineering: Password in exchange for chocolate|https://www.eurekalert.org/pub_releases/2016-05/uol-sep051216.php|target='_blank']
* [I’ll give you a candy bar for your password|https://www.geek.com/blurb/ill-give-you-a-candy-bar-for-your-password-556508/|target='_blank']
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop