Password is a password or some characters that are used for authentication of the wire, or use a resource ID (for example, use: an access code has to prove is a kind of password). Secret password is not allowed access to those should be kept. Use a password known as ancient. Sentries seek to challenge them to enter an area or provide a password or slogan will come to. Sentries to a person or group if they know the password will allow. In modern times, the user name and password is the normal process of the computer operating system protection, control the use of mobile phones during login is used by people, cable TV decoders, automated teller ( ATM) machines, etc. A general computer users may require passwords for many purposes: logging in the computer accounts, retrieving e-mail server, program access, database, network, Web sites, and even reading the morning newspaper online.
Despite the name, password for there is no need for actual words, surely the original password which is difficult to think, an important feature may have no words. Some more words as a password is more accurately called a passphrase can be. Passcode term sometimes used when confidential information, personal identification (PIN) number of entirely digital form, usually used to access ATM's. Passwords are usually very short and easily memorized typing.
More compellingly identify one device to another computer for the purposes of verification, password significant damage (they can steal from spoofed, forgotten, etc.) authentications system cryptographic protocols, which are more difficult to lie on that subject is.
Easy to remember, hard to guess
Password is easy for owners to remember usually means the attacker to guess it will be easy. The problem of password protection system will reduce miss that (a) written or electronic users store passwords, (b) user password resets again and will need may require (b) users are more likely to reuse the same password. Thus, more strict password rules for power, for example, "large and small monthly change a combination of letters and numbers" or "is," in which users will subvert the system than a degree.
Memo ability and password security, in Jeff van et al. The impact of advice about choosing a good password given to users examines. He felt that thinking about a phrase and take the first letter of each word based password as memorable as naively selected passwords, and as hard as to crack random passwords are generated. Two non-related words together is a good way. Designed as a personal way "fuzzy password is to generate" a better way
However, asking users a mix of large and small characters "" as containing a password to remember and ask them to remember a list of bits, hard to remember and be a little harder (just 128 times For example, to the more difficult to crack 7 letter password, crack for less if the user only the first letter capitalizes). Asking users "use both letters and numbers" will often lead a very simple example - - substitutions think 'e' -> '3 'and' I ''1>, substitutions known to attack the are attackers --. Similarly, a keyboard password, type high conflict is a common trick attackers know.
Factors in the security of a password system
A password-protected system security depends on several factors. Overall, of course, necessary to protect the sound system was designed, with protection against computer viruses, attacks a person and as a middle. Physical security issues are also of concern because of video cameras and keyboard sniffers such as better physical risks of deterring shoulder surfing. And yes, the password should be chosen so that they are hard to attack and a very difficult one for the attacker is using it to discover any (and all available projects automatically attack .) See Password strength, computer security, and computer insecure.
Nowadays a common computer system password to hide because they are typing. The purpose of this measure to avoid standing password is read. However, some that logic errors such exercise and stress may lead consumers to choose a weak password encouraged. As an alternative, the user or as they type their password option should appear to hide. 
Effective access control equipment a password or biometric token  Less extreme measures to achieve cost recovery on criminals to make great steps, rubber hose cryptanalysis, side channel attacks and included.
There's something special about password management issues will be considered in planning, selection, and handling, is password.
Rate at which an attacker can try guessed passwords
Rate at which an attacker system can post guessed password protection system is an important factor in determining. Some systems failed password attempts to log a small number (eg, three) once after implementing several seconds. In the absence of other threats, such systems with relatively simple password is effectively protected, if they are well chosen and have been calculated can not easily.
Many systems store or make a mistake like that for an attacker makes accessible price cryptographic hash of the password transmitted. When it worked, and it is very common, an attacker off-line work, is really fast against the password hash value can check candidate password. Password that cryptographic (eg disk encryption or security wi-fi) than can estimate the rate of subject keys, is used to generate. List of common passwords are widely available and can password very efficient attack. (See password cracking) in such circumstances. Protection of passwords or passphrases enough complexity depends on the use, such as computationally infeasible to attack the invaders. Like PGP and WPA wi-fi as a system, password hash extensive number of such attacks to slow apply. See key strengthening.
Form of stored passwords
Some computer systems store user passwords as cleartext, against which efforts to compare user login. If such an attacker gain access to an internal password store, all user passwords on any contract will be all accounts. If some user accounts on different systems employed for the same password, as their contract would be fine.
A cryptographically secure system more secure as a password, the password to access the original shop is still a tough detective who gain access to internal systems will be used when users try to access the verification is possible .
A common approach stores only a simple password "hashed form." When this system a user types a password, password management software through a cryptographic hash algorithm runs, and if the hash value from the user's entry in the database password hash match safe, user is allowed access. Maximum resistance of hash value hash function (request a cryptographic hash function attack) in a string containing the submitted password and, usually, should have been made known as a salt value . Salt easily hash values for common passwords list prevents attackers from building. MD5 and SHA1 cryptographic hash function is used often.
DES algorithm, a revised version of the early Unix systems were used for this purpose. Unix DES hash function to function equally slow, further frustrate automated guessing attacks to Thrust, and password as a key candidate to encrypt a fixed price, thus far the system shrouding a password and block attacks. Recently, Unix or Unix like systems (eg, Linux or the various BSD systems) use the most sure MD5, SHA1, Blowfish, Two fish, or any of several other algorithms or attacks on Never stop frustrating but still effective security system for secure password files.
Even if the hash function is designed, it computationally infeasible to reverse it directly will get a simple password. However many hashed password protection system did not adequately if an attacker publicly available sources that are hashed value which each word in such a list, the secret can compare results access can, and a dictionary (many available Internet.) In many languages a large list of possible passwords are widely available on the Internet, such as common software applications to try to change. This user password dictionary attack tools exist to oppose the options easily attacks are intended constrains, it findable on this list should not be. Obviously, such lists as text password should not be. PBKDF2 as a hash key stretching to reduce this risk, use is designed.
A poorly designed hash function attacks, even if practice is a strong password can. Look for LM hash widely deployed, and unsafe, for example
Methods of verifying a password over a network
Various measures to establish a network password was used to verify the offer:
Simple transmission of the password
Password to prevent unsafe (ie, "snooping") while the machine or person to verify what is being transferred. If user password database password access point and the central control system on the electrical wiring between the non-physical indicators as is, this method of snooping by wiretapping is conditional. If this is packetized data over the Internet, anyone logging packets containing information to identify opportunities with very little worth watching detective can.
Sometimes e-mail password is used for distribution. Since most email is sent cleartext, try it without any eavesdropper during transport is available. Also, email cleartext - sending and recipient as at least two stored on computer. If they travel through the Intermediate system, perhaps even those will be safe at least for some time. Try it safe or can not succeed in an email from deleted, files for backup or history of many systems can include an e-mail or or caches. Surely only those systems identified each can be difficult. E-mail password normally distributed are an insecure manner.
Cleartext password transmission as an example is the original Wikipedia site. Wikipedia account when you log in, your username and password as cleartext through the Internet are sent from your computer's browser. In principle, one way and then I read them as you log into your account. You can Wikipedia by the server that the attacker has no way of distinguishing. In practice, there are a large number unknowably (for example, can, your Internet service provider to any employee on the system by which to traffic, etc.). Recently, Wikipedia entry safe options, which, like many e-commerce sites, uses SSL / (TLS) cryptographically based cleartext transmission protocol is proposed to delete . But because all anyone logging), and then primarily in all subjects without editing Wikipedia (access can be hidden there as to reduce the channel is much less secure What is being argued may need. other web sites (eg, banks and financial institutions) are very different security needs, and some of the cleartext transmission is clearly in the context of those insecure.
Client-side encryption system server handling the client machine to transfer e-mail will only use protection. E-mail relays and not the past or will be later, often saved in cleartext e-mail may be stored on multiple computers will receive initial and on computer course
Transmission through encrypted channels
Sent over the Internet password from the threat of retention can be reduced, among other approaches, cryptographic protection using. The most widely used transport layer security (TLS, SSL already known) feature the most current Internet browser is built. Most browsers to notify the user a TLS / SSL closed lock icon, or any other sign, when TLS is in use by displaying exchange with a secure server. Several other methods in use there is, see Cryptography.
Hash-based challenge-response methods
Unfortunately, there gathered hashed password and challenge response hash-based authentication is a dispute between, the latter is a server that knows the customer needs to be shared secret (ie, password), and to do this for servers now form joint intelligence collection should be able to get. Like many systems, including Unix system (on) remote authentication, shared secret and became generally hashed form and password guessing attacks to highlight to offline is seriously Limitation. In addition, when the hash as a shared secret is used, an attacker need not actually remove the password is verified, they just need to hash
Zero-knowledge password proofs
But a password or password hash from the legacy transmitted, password authentication - the contract system is a zero knowledge password proof, highlighting that without the password can end proves knowledge .
Moving a step further, password authentication - added to the contract system (for example, AMP, B SPEKE, Pakistan's Z, SRP - 6) both conflict and hash functions based on the Limitation and avoid . An increase of a client server system, where only one server () No known hashed password password proven knowledge, and where unhashed need to access password allows
Procedures for changing passwords
Typically, a system a way to change a password provide, either because a user password that has been present (or has power) agreement, or a careful measures as will. If a new password in unencrypted form, the system is passed, in security (for example, can lose, wiretapping through) before the new password in the password database can be installed is . And, obviously, if the new password is given to a contract employee, has little benefit. Some web sites to verify an unencrypted password in the user selected e-mail including increased risk of clear messages.
Identity management system changed rapidly lost password to automate the issuance is used, a feature called self-service password reset. User ID Question and answers compare to those already protected (ie, when the account was opened by authenticated.) Common questions include: "Where you were born?" , "Who is your favorite movie?" Or "What is your pet's name?" In many cases, their answers relatively easily guessed by an attacker, through social engineering efforts at research, or be determined by gain, and then complete the authentication technology as less than satisfactory. While many users have been trained never to reveal a password, something their pet's name or favorite movie thus understand the need for care.
"Password aging" is meant a stolen password useless will be more or less rapidly with the operating system forces users to change passwords frequently (eg, quarterly, monthly or more often), is a feature. Such policies generally fit most user resistance and the maximum drag and provoke hostility. Users change their password directly memorial can prepare for the sample. In any case, clearly security benefits, are limited, if not feel right, because attackers often a password as soon as this agreement, the change might need some time before, is exploitation. Expires in many cases, especially administrative or "root" accounts, once an attacker has gained access, the operating system that they did their initial password, then used in future will allow to change can. (Rootkit to Discover). Implement such a policy and relevant human factors need careful consideration.
Number of users per password
Sometimes a single password controls access to a device, for example, a network router, or password protected for mobile phone. However, in the case of a computer system, usually a password for each user account is stored, thus access to all traceable course (, safer, if users share a password.) System with a user name with user supplied password must be an account will almost always appointed, and periodically thereafter. If the user to supply user name password submit a matching equipment, computer system he or she is allowed more access. It is also the 'User Name' other cash machine, is usually the case for bank account numbers stored on the client's card and PIN usually very low (4 to 6 points).
In a system different password for each user is allotted a better system right password is shared by users, from a security perspective, of course. This is partly because more users to another person (who may be authorized) use of a common addition to a password especially want to tell. Less than single password is easy to change because many people need to be told at the same time, and they access a particular user is more difficult to withdrawal, graduation or resignation as ideal as . Per user password is also required if users such as financial matters or medical records to see as accountability for their activities will be held.
Design of the protected software
Common technologies include software protection via a password protected system is used to improve:
Password is not displayed on the display screen as it is being entered or obscuring it as star (* using written) or (â€¢) tablets. Enough Unix and Windows, a role limited to 8 maximum password length, including early versions (some legacy operating systems, allowing for â€¢ password. Require users again after a period of inactivity of their own motion enter a password (a semi-log of the policy) for. A password policy enforcing password strength and security to increase. O require periodic password changes. Set the password chosen randomly. O requires a minimum or maximum password length.
O need some system of different character classes a password, for example, is "at least one major and at least a small letter" Must characters. However, all small, blend password letters are more secure password per keystroke. Keyboard entry (for example, to password, password or biometric) to provide an alternate.
â€¢ secret tunnels or password authentication - The password for network access attacks to prevent transmission by using contract
â€¢ within a given time limit the number of failures allowed (to prevent repeated password guessing). After limit reached, more efforts to correct password, including violations) will be attempts to start the next time period). However, this denial of service attack is vulnerable to a form.
â€¢ Introduction password a delay between submission under the automated password guessing programs to slow.
More stringent policy enforcement measures are in danger of alienating some users, maybe as a result can reduce security.
Try as many possibilities allowed time and money trying to crack the password is brute force attack. A related way, but in most cases more efficient, a dictionary attack. A dictionary attack, one or more dictionaries are tested all the words. Lists of common passwords generally experienced.
Password strength is likely to use the password can not be predicted or search and attack method is different. Passwords are easy to find as weak or insecure, passwords are very difficult or impossible to find firm. Number of password attack (such L0phtCrack, John the Ripper or as accounting and system recovery available to persons from programs, and are well) some of which safe design (as found in Microsoft LANManager system password Use to increase efficiency. These programs often used by system administrators is proposed by weak consumer to find password.
Production of computer systems studies consistently showed that all selected users - a big part of the password easily be calculated automatically. For example, user password Columbia University found 22 percent with little effort can be exported  According to Bruce Schneier, a phishing attack 2006, 55 per cent of MySpace password data 8 hours should be examined in a commercially available crackable password to use. Toolkit. 2006 (11) 200,000 passwords per second, said he is also the most common password was password1, yet again confirming the user to select between said password Care To check general lack Receivable. (Despite this statistic, based on their care, that the general picture password, for example, in the year, better than the average length of eight characters, seven under the previous survey, and less than 4 percent were dictionary words.)
July 16, 1998, CERT reported an incident 13), where a hacker secret about 186.126 their account name with password submitted [. Search time, infiltration 47,642 (25.6% estimated) of their password using a password cracking tool. Password has been gathered from several other Web sites appear, some but not all been identified. It still is the biggest news event date.
Alternatives to passwords for access control
The permanent or semi permanent many ways - can compromise passwords of other technology development is encouraged. Unfortunately, some are practically inadequate, and in any case looking for something safer alternative available to users in the world are [quoted) is required.
â€¢ Single use password. Password is only valid once makes many potential attacks ineffective. Most users used a lot of trouble getting the password. He, however, was largely personal online banking, where they verify process (TANs) number is known as implemented in. Most of them home users every week a small number of cases, using an intolerable this issue in this case is not due to customer dissatisfaction.
â€¢ Time a few ways to synchronize time password, which password is like an experiment, but the price a little something (usually pocketable) and appearing on every minute or so is changing into.
â€¢ PassWindow a single use password as the password are used but appear to be dynamic characters are entered only when a user print a unique visual superimposes a major challenge on the server appear on the user's screen created image.
â€¢ Access Public Key Cryptography for example based control ssh. Important keys are generally too many to memorize (but proposed to Passmaze Discover) and a local computer, security token or portable memory device, such as USB flash drive or even floppy disk will be stored in .
â€¢ biometric methods based on promised permanent personal characteristics is confirmed, but currently (2008) have high error rates and require additional hardware is scanned, for example, fingerprints, irises, etc. They joke Very easy to make some popular commercially available test system events have proved, for example, gummie spoof fingerprint performance, 14  and therefore these features are continuous, if that contract has not changed can be, consider this a very important access a compromised access token is controlled as unsafe is necessary.
â€¢ single sign on technology need to be more than one password to delete claims. Such projects to select the appropriate password from a user and not get rid of administrators, system designers nor private use or that of the control system to activate a target approval is secure against attack to ensure administrators. As yet, a good standard has been developed.
â€¢ Envaulting technology free password, for example data on a USB flash drive safe way as removable storage devices. Instead, the user password, user access a network resource access is based on.
Such image-based password or password on mouse movement as â€¢ non text-based password. 15  a series of other system users select a password as the face, the human brain's ability to remember is to use face easily. 16 So far, they have promised, but not much use. Have studied this subject in the real world of imperfect it has been determined.
â€¢ Graphical passwords are intended to substitute for admission through the traditional password authentication is used instead, they use images instead of graphics or color of letters, digits or special characters. Some import user right view is from a series of images so that access is required to choose. 17  image, while some believe that number will be harder to crack, others suggest that people are expected to be as common as images or sequences that are common to choose a password for Abrar is required.
â€¢ 2D key (2 key size 18  as a 2D matrix important semantic noise output multiline text with optional passphrase, puzzle, ASCII / Unicode art way to the scene, great password / key create more than 128 is to bits (Memorizable Public Key - Cryptography) 19  current private key management technology memorizable completely private key using the private key as MePKC silence, split private key and private key around.
â€¢ Cognitive and password question / answer to verify identity pairs to answer Q using.
Website password systems
Password to authenticate users to Web sites are used and are generally maintained on the Web server, browser on a remote system means HTTP email server (sends a password), Check back server password and related materials (or sends an access denied message). This action removed the possibility of local reverse engineering as a code does not reside on the local machine password was approved.
Password transmission through the web browser,, plain text means that the car chase may be traveling with. Many web authentication system to use SSL between browser and server to establish a secret meeting, and generally claimed is the actual meaning of "secure site" is. This browser session integrity by increased automatically is, what it thinks is the deal was not over and that SSL / TLS using import download are.