P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
2 PASSWORDSFigure 1: A biometric fingerprint scanner.authentication, a system ought to combine two or more
of these factors. For example, in order to access an ATM,
one must have a bank card and know his or her personal
identification number (PIN).HISTORY OF PASSWORDS IN
MODERN COMPUTING
Conjecture as to which system was the first to incorpo-
rate passwords has been bandied about by several com-
puting pioneers on the Cyberspace History List-Server
(CYHIST). However, there has not been any concrete
evidence as yet to support one system or another as
the progenitor. The consensus opinion favors the Com-
patible Time Sharing System (CTSS) developed at the
Massachusetts Institute of Technology (MIT) Computa-
tion Center beginning in 1961. As part of Project MAC
(Multiple Access Computer) under the direction of Profes-
sor Fernando J. “Corby” Corbat ́o, the system was imple-
mented on an IBM 7094 and reportedly began using pass-
words by 1963. According to researcher Norman Hardy,
who worked on the project, the security of passwords im-
mediately became an issue as well: “I can vouch for some
version of CTSS having passwords. It was in the second
edition of the CTSS manual, I think, that illustrated the
login command. It had Corby’s user name and password.
It worked—and he changed it the same day.”
Passwords were widely in use by the early 1970s as the
“hacker” culture began to develop, possibly in tacit op-
position to the ARPANET. Now, with the explosion of the
Internet, the use of passwords and the quantity of confi-
dential data that those passwords protect have grown ex-
ponentially. But just as the 40 thieves’ password protection
system was breached (the cave could not differentiate be-
tween Ali Baba’s voice and those of the thieves), computer
password systems have also been plagued by a number of
vulnerabilities. Although strong password authentication
has remained a “hard” problem in cryptography despite
advances in both symmetric (secret-key) and asymmet-
ric (public-key) cryptosystems, the history of password
authentication is replete with examples of weak, easily
compromised systems. In general, “weak” authentication
systems are characterized by protocols that either leak
the password directly over the network or leak sufficient
information while performing authentication to allow in-
truders to deduce or guess at the password.Green Book: The Need for Accountability
In 1983, the U.S. Department of Defense Computer Se-
curity Center (CSC) published the venerable tomeTrusted
Computer System Evaluation Criteria,also known as the
Orange Book. This publication defined the assurance re-
quirements for security protection of computer systems
that were to be used in processing classified or other sensi-
tive information. One major requirement imposed by the
Orange Book was accountability: “Individual accountabil-
ity is the key to securing and controlling any system that
processes information on behalf of individuals or groups
of individuals” (Latham, 1985).
The Orange Book clarified accountability as follows:Individual user identification: Without this, there is no
way to distinguish the actions of one user on a system
from those of another.
Authentication: Without this, user identification has no
credibility. And without a credible identity, no security
policies can be properly invoked because there is no
assurance that proper authorizations can be made.The CSC went on to publish thePassword Management
Guideline(also known as the Green Book) in 1985 “to
assist in providing that much needed credibility of user
identity by presenting a set of good practices related to
the design, implementation and use of password-based
user authentication mechanisms.” The Green Book out-
lined a number of steps that system security administra-
tors should take to ensure password security on the system
and suggests that, whenever possible, they be automated.
These include the following 10 rules (Brotzman, 1985):System security administrators should change the pass-
words for all standard user IDs before allowing the
general user population to access the system.
A new user should always appear to the system as having
an “expired password” which will require the user to
change the password by the usual procedure before
receiving authorization to access the system.
Each user ID should be assigned to only one person. No
two people should ever have the same user ID at the
same time, or even at different times. It should be con-
sidered a security violation when two or more people
know the password for a user ID.
Users need to be aware of their responsibility to keep
passwords private and to report changes in their user
status, suspected security violations, etc. Users should
also be required to sign a statement to acknowledge
understanding of these responsibilities.
Passwords should be changed on a periodic basis to
counter the possibility of undetected password com-
promise.
Users should memorize their passwords and not write
them on any medium. If passwords must be written,
they should be protected in a manner that is consistent
with the damage that could be caused by their compro-
mise.
Stored passwords should be protected by access controls
provided by the system, by password encryption, or by
both.