Although digital certificates are becoming more popular, most systems today require each user to identify himself to the system by furnishing a username and password. This is an example of authenticating yourself based on what you know. Weve already seen this in our discussions of authentication protocols like Kerberos and CHAP.
The username is unique to each individual user. It is a humanly readable name which typically, 'under the hood', is associated with a number set or hashed value that was generated at the time the user account was created. The password is supposed to be kept secret and should be sufficiently long enough to prevent a brute force (trying all the possible permutations of characters) attack from succeeding. Furthermore, a password should not be a name found in a native language to prevent a dictionary attack. It should also not be something easily guessable such as the username, the users first name, their childs name, etc.
Different OSs and applications perform user/password validation with different levels of intelligence and naiveté. For example, some encrypt the password before sending it across the wire, some dont. Some store the password in strongly encrypted form on the server; some store the password on the server using weak or no encryption.
As networks became more common, network sniffers which inspect traffic as it travels across a network became more common, and computers got faster (permitting encryption to be brute-forced), engineers began looking for better solutions that provided a higher level of security. Simple user/password authentication is still used today by a variety of services, but many security professionals and real-world-savvy network administrators recommend avoiding those services and going instead for those that use stronger authentication methods, due to limitations in the user/password approach:
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.