P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
PASSWORDSECURITY—BACKGROUND 3Passwords should be encrypted immediately after entry,
and the memory containing the plaintext password
should be erased immediately after encryption.
Only the encrypted password should be used in compar-
isons. There is no need to be able to decrypt passwords.
Comparisons can be made by encrypting the password
entered at login and comparing the encrypted form
with the encrypted password stored in the password
database.The system should not echo passwords that users type
in, or at least should mask the entered password (e.g., with
asterisks).PASSWORD SECURITY—
BACKGROUND
Information Theory
Cryptography is a powerful mechanism for securing data
and keeping them confidential. The idea is that the origi-
nal message is scrambled via an algorithm (or cipher), and
only those with the correct key can unlock the scrambled
message and get back the plaintext contents. In general,
the strength of a cryptographic algorithm is based on the
length and quality of its keys. Passwords are a similar
problem. Based on their length and quality, they should
be more difficult to attack either by dictionary, by hybrid,
or by brute-force attacks. However, the quality of a pass-
word, just as the quality of a cryptographic key, is based
on entropy. Entropy is a measure of disorder.An example of entropy
Say a user is filling out a form on a Web page (see Figure 2).
The form has a space for “Sex,” and leaves six characters
for entering either “female” or “male” before encrypting
the form entry and sending it to the server. If each charac-
ter is a byte (i.e., 8 bits), then 6× 8 =48 bits will be sent
for this response. Is this how much information is actually
contained in the field, though?
Clearly, there is only one bit of data represented by the
entry—a binary value—either male or female. That meansFigure 2: Sample Web page entry form.that there is only one bit of entropy (or uncertainty) and
there are 47 bits of redundancy in the field. This redun-
dancy could be used by a cryptanalyst (someone who an-
alyzes cryptosystems) to help crack the key.
Fundamental work by Claude Shannon during the
1940s illustrated this concept, that is, that the amount of
information in a message is not necessarily a function of
the length of a message (or the number of symbols used in
the message) (Sloane & Wyner, 1993). Instead, the amount
of information in a message is determined by how many
different possible messages there are and how frequently
each message is used.
The same concepts apply to password security. A longer
password is not necessarily a better password. Rather, a
password that is difficult to guess (i.e., one that has high
entropy) is best. This usually comes from a combination of
factors (see “Guidelines for selecting a good password”).
The probability that any single attempt at guessing a pass-
word will be successful is one of the most critical factors
in a password system. This probability depends on the
size of the password space and the statistical distribution
within that space of passwords that are actually used.
Over the past several decades, Moore’s Law has made
it possible to brute-force password spaces of larger and
larger entropy. In addition, there is a limit to the entropy
that the average user can remember. A user cannot typi-
cally remember a 32-character password, but that is what
is required to have the equivalent strength of a 128-bit
key. Recently, password cracking tools have advanced to
the point of being able to crack nearly anything a system
could reasonably expect a user to memorize (see “Pass-
word Length and Human Memory”).Cryptographic Protection of Passwords
Early on, the most basic and least secure method of au-
thentication was to store passwords in plaintext (i.e., un-
encrypted) in a database on the server. During authen-
tication, the client would send his or her password to
the server, and the server would compare this against the
stored value. Obviously, however, if the password file were
accessible to unauthorized users, the security of the sys-
tem could be easily compromised.
In later systems, developers discovered that a server
did not have to store a user’s password in plaintext form
in order to perform password authentication. Instead,
the user’s password could be transformed through a one-
way function, such as a hashing function, into a random-
looking sequence of bytes. Such a function would be diffi-
cult to invert. In other words, given a password, it would
be easy to compute its hash, but given a hash, it would be
computationally infeasible to compute the password from
it (see “Hashing”). Authentication would consist merely
of performing the hash function over the client’s pass-
word and comparing it to the stored value. The pass-
word database itself could be made accessible to all users
without fear of an intruder being able to steal passwords
from it.Hashing
A hash function is an algorithm that takes a variable-
length string as the input and produces a fixed-length
value (hash) as the output. The challenge for a hashing al-
gorithm is to make this process irreversible; that is, finding