The IT Law Wiki
Advertisement

Definitions[]

A password is

[a] character string that enables a user to have full or limited access to a system or to a set of data.[1]
a character string used to authenticate an identity. Knowledge of the password that is associated with a user ID is considered proof of authorization to use the capabilities associated with that user ID.[2]
[a] string of characters containing letters, numbers, and other keyboard symbols that is used to authenticate a user's identity or authorize access to data. A password is generally known only to the authorized user who originated it.[3]
[a] protected/private character string used to authenticate an identity.[4]
confidential authentication information composed of a string of characters.[5]

Overview[]

A password is used for authentication, to prove identity or gain access to a resource, such as a network, email account or database.

The password must be kept secret from those not allowed access. Passwords are generally short enough to be easily memorized and typed.

User names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, websites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access

Password systems can be effective if managed properly, but they seldom are. Authentication that relies solely on passwords has often failed to provide adequate protection for computer systems for a number of reasons. If users are allowed to make up their own passwords, they tend to choose ones that are easy to remember and therefore easy to guess. If passwords are generated from a random combination of characters, users often write them down because they are difficult to remember. Where password-only authentication is not adequate for an application, it is often used in combination with other security mechanisms.

PINs and passwords do not provide non-repudiation, confidentiality, or integrity.

Security[]

Passwords pose serious security challenges. They are a commonly used form of authentication and are the quintessential example of “something you know.” They require no specialized hardware or training and can be distributed, maintained, and updated by telephone, fax, or e-mail. But they do have serious disadvantages, among them susceptibility to guessing and to theft. In addition, passwords generally do not change without human intervention, leaving them open to compromise.

Passwords are also easily shared, either intentionally or inadvertently (when written down near a computer, for example), and a complex, expensive infrastructure is necessary to enable resetting lost (forgotten) passwords. Because people have trouble remembering a large number of names and passwords, there is a trend either toward name and password reuse across systems, which undermines privacy (and security), or toward the creation of centralized systems to keep track of these names and passwords, which has the same negative centralization effect with respect to privacy and linkage.[6]

"To counter the vulnerability of simple alphanumeric passwords, many organizations require the use of complex passwords containing a combination of numbers, letters and special characters. Depending on an organization's policy, passwords may need to be changed frequently or be unique to one system. These password management practices attempt to increase overall security but often come at a significant cost to individuals and organizations. Individuals may manage the difficulty of remembering many complicated passwords by writing them down on paper or in an electronic file. This practice negates overall system security. Forgotten passwords can significantly add to internal costs through an increased need for help desk staffing as well as lost productivity."[7]

References[]

  1. U.S. Food and Drug Administration, Glossary of Computerized System and Software Development Technology 22 (Aug. 1995) (full-text).
  2. DoD Password Management Guideline (CSC-STD-002-85) (Apr. 12, 1985) (full-text).
  3. Practices for Securing Critical Information Assets, Glossary, at 56.
  4. Department of Defense, National Computer Security Center, Glossary of Computer Security Terms (NCSC-TG-004, Ver. 1) (Oct. 21, 1988).
  5. 45 C.F.R. §164.304.
  6. Who Goes There?: Authentication Through the Lens of Privacy, at 4.
  7. The National Biometrics Challenge, at 9.

See also[]


This page uses Creative Commons Licensed content from Wikipedia (view authors). Smallwikipedialogo.png
Advertisement