Security - Password

> Software Security > (Authentication|Access control|Identification) - AuthN

1 - About

Password credentials (i.e., username and password) is something you know.


3 - Strategy

4 - Password Storage

Any computer system that requires password authentication must contain a database of passwords, either hashed or in plaintext.

Because the tables are vulnerable to theft, storing the plaintext password is dangerous.

Most databases, therefore, store a cryptographic hash of a user's password in the database.

In such a system, no one— including the authentication system— can determine what a user's password is by merely looking at the value stored in the database.

Instead, when a user enters his or her password for authentication, it is hashed, and that output is compared to the stored entry for that user (which was hashed before being saved). If the two hashes match, access is granted.

4.1 - Two-way function

An encrypted copy of the password encrypted and unencrypted to plaintext for use with authentication methods such as Digest authentication.

The passwords are stored in encrypted form and they can only be decrypted by the application to provide access in authorized circumstances.

These protections, however, cannot prevent a malicious user with application access level from illicitly extracting them in the same manner that the application would do for legitimate use.


4.2 - One-way hash function

See Function - One way

This hashing function is designed to always produce the same result from the same password input, and to minimize collisions where two different passwords can produce the same result. This hash is always the same length and cannot be directly decrypted to reveal the plaintext password.

To protect against brute-force attacks, users who authenticate with passwords should set strong passwords or passphrases that include characters from multiple sets and are as long as the user can easily remember. See Password Technical Overview

5 - Lib

  • Java from console. If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object…) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory.
 Console cons;
 char[] passwd;
 if ((cons = System.console()) != null &&
     (passwd = cons.readPassword("[%s]", "Password:")) != null) {
     java.util.Arrays.fill(passwd, ' ');

6 - History

The MIT's Time-Sharing Computer is considered to be the first computer system to use passwords.

7 - Password Expiration

8 - Standard

9 - Documentation / Reference

security/auth/password.txt · Last modified: 2019/04/27 14:19 by gerardnico