P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
GLOSSARY 11also introduce measures to mitigate sniffing, such as
network segmentation and desktop automated inventory
for sniffers and other tools. Finally, for strongest security,
a system could encrypt all network traffic with IPSec on
every desktop and server.
Dr. Tippett states: “If the Promised Land is robust au-
thentication, you can’t get there with passwords alone,
no matter how ‘strong’ they are. If you want to cut costs
and solve problems, think clearly about the vulnerability,
threat and cost of each risk, as well as the costs of the pur-
ported mitigation. Then find a way to make mitigation
cheaper with more of a security impact” (Tippett, 2001).CONCLUSION
Passwords have been widely used in computing systems
since the 1960s; password security issues have followed
closely behind. Now, the increased and very real threat
of cybercrime necessitates higher security for many net-
works that previously seemed safe. Guaranteeing ac-
countability on networks—i.e., uniquely identifying and
authenticating users’ identities—is a fundamental need
for modern e-commerce. Strengthening password secu-
rity should be major goal in an organization’s overall secu-
rity framework. Basic precautions (policies, procedures,
filtering mechanisms, encryption) can help reduce risks
from password weaknesses. However, lack of user buy-
in and the rapid growth of sophisticated cracking tools
may make any measure taken short-lived. Additional mea-
sures, such as biometrics, certificates, tokens, smart cards,
and other means can be very effective for strengthening
authentication, but the tradeoff is additional financial bur-
den and overhead. It is not always an easy task to convince
management of inherent return on these technologies, rel-
ative to other system priorities. In these instances, organi-
zations must secure their passwords accordingly and do
the best they can with available resources.GLOSSARY
Access control The process of limiting access to system
information or resources to authorized users.
Accountability The property of systems security that
enables activities on a system to be traced to individu-
als who can then be held responsible for their actions.
ARPANET The network first constructed by the Ad-
vanced Research Projects Agency of the U.S. Depart-
ment of Defense (ARPA), which eventually developed
into the Internet.
Biometrics Technologies for measuring and analyzing
living human characteristics, such as fingerprints, es-
pecially for authentication purposes. Biometrics are
seen as a replacement for or augmentation of password
security.
Birthday paradox The concept that it is easier to find
two unspecified values that match than it is to find a
match to some particular value. For example, in a room
of 25 people, if one person tried to find another person
with the same birthday, there would be little chance
of a match. However, there is a very good chance that
some pair of people in the room will have the same
birthday.Brute force A method of breaking decryption by try-
ing every possible key. The feasibility of a brute-force
attack depends on the key length of the cipher and on
the amount of computational power available to the at-
tacker. In password cracking, tools typically use brute
force to crack password hashes after attempting dictio-
nary and hybrid attacks to try every remaining possible
combination of characters.
CERT Computer Emergency Response Team. An or-
ganization that provides Internet security expertise
to the public. CERT is located at the Software En-
gineering Institute, a federally funded research and
development center operated by Carnegie Mellon
University. Its work includes handling computer secu-
rity incidents and vulnerabilities and publishing secu-
rity alerts.
Cipher A cryptographic algorithm that encodes units
of plaintext into encrypted text (orciphertext) through
various methods of diffusion and substitution.
Ciphertext An encrypted file or message. After plaintext
has undergone encryption to disguise its contents, it
becomes ciphertext.
Crack, cracking Traditionally, using illicit (unautho-
rized) actions to break into a computer system for mali-
cious purposes. More recently, either the art or science
of trying to guess passwords, or copying commercial
software illegally by breaking its copy protection.
CTSS Compatible Time Sharing System. An IBM 7094
timesharing operating system created at MIT Project
MAC and first demonstrated in 1961. May have been
the first system to use passwords.
Dictionary attack A password cracking technique in
which the cracker creates or obtains a list of words,
names, etc., derives hashes from the words in the list,
and compares the hashes with those captured from a
system user database or by sniffing.
Entropy In information theory, a measure of uncer-
tainty or randomness. The work of Claude Shannon
defines it in bits per symbol.
Green Book The 1985 U.S. DoD CSC-STD-002–85 pub-
licationPassword Management Guideline, which de-
fines good practices for safe handling of passwords in
a computer system.
Hybrid attack A password-cracking technique that usu-
ally takes place after a dictionary attack. In this attack,
a tool will typically iterate through its word list again
using adding certain combinations of a few characters
to the beginning and end of each word prior to hash-
ing. This attempt gleans any passwords that a user has
created by simply appending random characters to a
common word.
Kerberos A network authentication protocol devel-
oped at MIT to provide strong authentication for
client/server applications using secret-key cryptogra-
phy. It keeps passwords from being sent in the clear
during network communications and requires users to
obtain “tickets” to use network services.
MAC Message authentication code, a small block of data
derived by using a cryptographic algorithm and secret
key that provide a cryptographic checksum for the in-
put data. MACs based on cryptographic hash functions
are known as HMACs.