What is a Password? (Technical)
An in depth explanation of passwords
Note: The below article was inspired and was taken collectively from my college cyber security classes, so I do not own or claim non-general ideas written below. I only intend to share crucial technical information that is not widely known and to raise awareness on the importance of having highly secure passwords and to inform what they are in technical terms and explain how they could be easily stolen through the internet and through social engineering.
Why Are They Important?
Passwords are cheap to deploy, but also act as the first
line of defense in a security arsenal.
They are also often the weakest link.
Examples of what they protect:
ATMs and bank accounts
Nuclear power and other critical infrastructure systems
Company proprietary information and systems
Email accounts (Gmail, Yahoo, Microsoft Outlook, etc.)
Student information (e.g. MyUni & Blackboard)"
Password Authentication
Passwords have been used for centuries, e.g. guards and
sentries
Passwords = secret authentication code used for access.
αυθεντικός = real or genuine, from 'authentes' = author
Answers the question: How do you prove to someone that
you are who you claim to be?
Authentication methods:
– What you know (Passwords, Secret keys)
– Where you are (IP Addresses)
– What you are (Biometrics)
– What you have (Secure tokens)
How Can Passwords Be Stored?
Filing System-Clear text
Dedicated Authentication Server-Clear text
Encrypted
Password + Encryption = bf4ee8HjaQkbw
Hashed
Password + Hash function =
aad3b435b51404eeaad3b435b51404ee
Salted Hash
(Username + Salt + Password) + Hash function =
e3ed2cb1f5e0162199be16b12419c012
How Are Passwords Stored? – Hashing
Usually stored as hashes (not plain text)
Plain-text is converted into a message
digest through use of a hashing algorithm
(i.e. MD5, SHA)
How Are Passwords Stored? – Hashing
• Hash function H must have some properties:
– One-way: given H(password), hard to find password
• No known algorithm better than trial and error
– Collision-resistant: given H(password1), hard to find
password2 such that: H(password1) = H(password2)
– It should even be hard to find any pair p1,p2 s.t.
H(p1)=H(p2)
How Are Passwords Stored? – Early UNIX Systems
In past UNIX systems, password used
modified DES (encryption algorithm) as if it
were a hash function
Encrypts NULL string using password as the key (truncates
passwords to 8 characters!)
Caused artificial slowdown: ran DES 25 times
Also stored password file in directory:
/etc/passwd/
World-readable (anyone who accessed the machine would
be able to copy the password file to crack at their leisure)
Contained userIDs/groupIDs used by many system
programs
– Can instruct modern UNIXes to use MD5 hash function
How Are Passwords Stored?
Newer UNIX Systems
Password hashes stored in /etc/shadow directory (or
similar)– only readable by system administrator (root)
Less sensitive information still in /etc/password
Added expiration dates for passwords
Early “shadow” implementations on Linux called the
login program which had a buffer overflow!
Passwords Impact on Security
Simple hacking tools are available to anyone who
looks for them on the Internet.
Tools such as LOphtCrack allow admittance into
almost anyone's account if a simple eight-digit
password is used.
People are frightened when they learn that using only an eight digit
password with standard numbers and letters will allow
anyone to figure out their passwords in less than two minutes
when one downloads a publicly available tool like LOphtCrack
Note: The above article was inspired and was taken collectively from my college cyber security classes, so I do not own or claim non-general ideas written below. I only intend to share crucial technical information that is not widely known and to raise awareness on the importance of having highly secure passwords and to inform what they are in technical terms and explain how they could be easily stolen through the internet and through social engineering.
