<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}]

[Password Authentication], [PIN]-based and other [Knowledge Factor] [authentication] have numerous deficiencies. Unfortunately, many security systems are designed such that [Authentication] relies entirely on a [Knowledge Factor]. 

Many &quot;Security Experts&quot; point out that weak [passwords] are the most common cause for system [Exploits].


Almost every one agrees [{$pagename}]. The sheer number of [Password] [Attacks] in the last years shows it is at least not working. Perhaps it is all an implementation issue and perhaps it is the conflict between [usability] work with [passwords] and [Password-composition Policy|Password Modification Policy] or perhaps it is the [heuristic Attacks] have gotten better.

!! A little about [Passwords]
The [password], then, functions like the key to a lock; [anyone who has it can get in|Bearer]. This means the password can easily become the __weak__ link in a company’s network security plan, because [passwords] can be &quot;cracked,&quot; [guessed|Brute-Force], stolen or deliberately shared. 

The &quot;Security Experts&quot; but the burden on the [user] saying &quot;It is important for individual users to safeguard their passwords [Best Practices Password] and for [Organizational Entity] to develop a [Password Policy] that mandate that such practices be followed.

!! Precise Recall
The main weakness of [knowledge Factor] [authentication] is that it relies on __precise recall__ of the [Credential] information. If the [user] makes a small error in entering the [Credential], the [authentication] fails. Unfortunately, precise recall is a [Human Limitation]. People are much better at imprecise recall, particularly in recognition of previously experienced stimuli.

[Human Element] of precise recall is in direct conflict with the requirements of strong [passwords]. Many [Password Statistics] show that people pick easy to guess [passwords]. Furthermore, they found that 85% of all [passwords] could be trivially broken through a simple exhaustive search to find short passwords and by using a [dictionary|Password Dictionary] to find longer ones. 

By enforcing [Password Policy] required users need to create unpredictable [passwords], which are more difficult to memorize. As a result, users often write their passwords down and hide them close to their work space. These strict [Password Policy] insisting on [Password Quality], such as forcing users to change [passwords periodically|Password Expiration], only increase the number of users who write them down to aid memorability.

As companies try to increase the security of their IT infrastructure, the number of [password] protected areas is growing. Simultaneously, the number of [Websites] which require a username and [password] combination is also increasing. To cope with this, users employ similar or [identical passwords|Password Reuse] for different purposes, which reduces the security of the [password] to that of the weakest link.

!! Most Proposed Solutions Fail
The majority of solutions to the problems of weak [passwords] fall into three main categories:
* The first types of solutions are proactive security measures that aim to identify weak passwords before they are broken by constantly running a password cracking programs
* The second type of solution is also technical in nature, which utilizes techniques to increase the computational overhead of cracking passwords
* The third class of solutions involves user training and education to raise security awareness and establishing security guidelines and [Password-composition Policy|Password Modification Policy] for users to follow.

%%information
All three classes of solutions do not remedy the main cause of [password] insecurity, which is the [Human Limitation] of for __Precise Recall__ of [Credentials].
%%

!! [Credential Vaults]
[Credential Vaults] are also a proposed solution where the user only needs one [credential] to open the [Credential Vault]. The [Credential Vault] [Application] can then, in at least a lot of cases, provide a &quot;Strong&quot; [credential] for use at the [website].

However, the [Credential Vaults] are a [Password Anti-Pattern] where the password is now a [Shared Secret] with yet another party which increases the [vulnerability] and the points that [attacker] may [exploit]


And that is why we see these type of [Password Statistics]

!! Funny [Password] [Use cases]
* [Passwords revealed by sweet deal|http://news.bbc.co.uk/2/hi/technology/3639679.stm|target='_blank']
* [What is Your Password?|https://youtu.be/opRMrEfAIiI|target='_blank']
* [Social engineering: Password in exchange for chocolate|https://www.eurekalert.org/pub_releases/2016-05/uol-sep051216.php|target='_blank']
* [I’ll give you a candy bar for your password|https://www.geek.com/blurb/ill-give-you-a-candy-bar-for-your-password-556508/|target='_blank']

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>