The Security Dilemma – Passwords and Authentication

For those of us who’ve worked in IT for a few decades, the whole idea that we still use passwords as a means of authentication is quite remarkable. I remember many discussions in work and bulletin boards over twenty years ago about how insecure they were and the numerous better solutions. However they’re still very much here, and causing issues and security concerns wherever we go.

If you are actually like me, you possess dozens of IDENTIFICATION,/ password pairs on various computer systems around the Internet. By typing in an ID, we lay claim to an identification, and the password is actually utilized to authenticate that we are enabled to do so. The system makes use of the identity represented by the ID to link up attributes with the holder of the ID. Strictly speaking, ID and username and password systems are really a two-factor authentication system with the ID standing for something I possess and the password being something I know. The problem, of course, is that an ID is actually usually public and also is easily copied. I for one don’t trust this or the numerous methods that a password is transmitted and submitted, indeed I always use a UK VPN connection as an extra layer if I’m using any password enabled site away from my home network.

Consequently, most ID and password systems are almost as weak as a one-factor system. Password management The greatest advantage of ID and password systems is their convenience and familiarity. The greatest drawback is their dependence on passwords. Theoretically, because passwords are confidential (something you know). they are protected, and only the entity with the secret can disclose it to the authorization system. In practice, passwords suffer from several considerable limitations:’ Individuals can remember only a finite number (around eight) of items with perfect accuracy. Additionally, they normally have multiple passwords that they are trying to remember. As a result, people generate passwords that are short and very simple to remember. They also have the tendency to use the same password for multiple credentials. ‘

Easy to recall passwords could be easily guessed by an attacker. Perhaps even pass words that have no connection to the entity that holds them can be effectively guessed in the event that they are what are known as “dictionary words.” The most effective passwords would certainly be lengthy, random strings of characters, but people cannot remember very long, random strings.’ People (and even machines) can be tricked into exposing the secret password to an attacker. This could be done, for example, simply by creating fake login screens. Another common technique is known as “social engineering” where the attacker get in touches with the person and tricks him into disclosing his password by posing as an administrator or someone else the person trusts.’ People write passwords down. Passwords get stored in files on computers.

This makes them vulnerable to theft and abuse. These types of problems really don’t have easy solutions. Many IT departments institute a password aging policy that forces users to change their passwords on a periodic basis to mitigate loss or sharing. They also frequently enforce rules about password structure in an effort to make passwords less guessable. For example, the rules may disallow dictionary words, require passwords longer than six characters, or require passwords to contain a mixture of letters, numbers, and punctuation. Often, the result of these kinds of policies is that users give up trying to remember their passwords and simply write them down and paste them to their monitors or stick them in the pencil drawer.

John Williams
Further Reference:

Leave a Reply