Security - Password

> Software Security > (Authentication|Access control|Identification) - AuthN

1 - About

Password credentials (i.e., username and password) is something you know.

Advertising

3 - Password vs Cryptographic Key

Password Cryptographic Key
multi-factor authentication context something you know something you have
Input manual automated (not meant to input manually)
Data Type text binary data
Complexity Low High
Memorization Easy Hard

Passwords were created to be memorized by human beings (low-entropy) where a key were created to be use in automated process by computer. They are too complex and random to be memorized.

Passwords are text whereas cryptographic keys are binary data (even if serialized and deserialized as text via for instance base64) and are generally not meant to input manually.

In a multi-factor authentication context,

  • passwords are something you know
  • cryptographic keys are something you have.

4 - Strategy

Advertising

5 - Password Storage

Any computer system that requires password authentication must contain a database of passwords, either hashed or in plaintext.

Because the tables are vulnerable to theft, storing the plaintext password is dangerous.

Most databases, therefore, store a cryptographic hash (ciphertext) of a user's password in the database.

In such a system, no one— including the authentication system— can determine what a user's password is by merely looking at the value stored in the database.

Instead, when a user enters his or her password for authentication, it is encrypted (hashed), and that output is compared to the stored entry for that user (which was hashed before being saved). If the two hashes match, access is granted.

5.1 - Two-way function

An encrypted copy of the password encrypted and unencrypted to plaintext for use with authentication methods such as Digest authentication.

The passwords are stored in encrypted form and they can only be decrypted by the application to provide access in authorized circumstances.

These protections, however, cannot prevent a malicious user with application access level from illicitly extracting them in the same manner that the application would do for legitimate use.

5.2 - One-way hash function

See Function - One way

This hashing function is designed to always produce the same result from the same password input, and to minimize collisions where two different passwords can produce the same result. This hash is always the same length and cannot be directly decrypted to reveal the plaintext password.

To protect against brute-force attacks, users who authenticate with passwords should set strong passwords or passphrases that include characters from multiple sets and are as long as the user can easily remember. See Password Technical Overview

Advertising

6 - Lib

  • Java from console. If an application needs to read a password or other secure data, it should use readPassword() or readPassword(String, Object…) and manually zero the returned character array after processing to minimize the lifetime of sensitive data in memory.
 Console cons;
 char[] passwd;
 if ((cons = System.console()) != null &&
     (passwd = cons.readPassword("[%s]", "Password:")) != null) {
     ...
     java.util.Arrays.fill(passwd, ' ');
 }

7 - History

The MIT's Time-Sharing Computer is considered to be the first computer system to use passwords. https://www.wired.com/2012/01/computer-password/

8 - Password Expiration

9 - Standard

10 - Documentation / Reference

security/auth/password.txt · Last modified: 2019/07/09 09:10 by gerardnico