Monday 28 November 2011

Passwords

The cheapest and easiest way to protect any kind of computer system is with that old standby: the password. Even computers that under normal circumstances have no need for security features o . ften come equipped with password protection simply because it feels good to use and doesn't cost much in terms of time, effort or
storage space to implement. Furthermore, systems which are pro-tected by other means - by magnetic cards or by software alternatives such as encryption - will double or triple the security of their assets through the use of a password system.

Thus, on practically all computer setups you are likely to encounter passwords of one form or another.

Passwords are usually thought of as the en-trance keys to a computer system, but they are also used for other purposes: to enable write access to drives, as encryption keys, to allow decompression of files, and in other instances where it is important to either ensure that it is the legitimate owner or user who is attempting an action.

There are seven main classifications of passwords.
They are:
• User supplied passwords
• System generated random passwords
• System generated random passcodes
• Half and halves
• Pass phrases
• Interactive question-and-answer sequences
• Predetermined by code-indicating coordinates

If you intend to hack a computer installation you will first have to figure out which of these seven password
types are used by that system. The first type is the most common; generally users are asked to think up a personal password for themselves.

System generated random passwords and codes may be of several kinds. The system software may supply a completely random sequence of characters - random to the point of cases, digits, punctuation symbols and length all being deter-mined on the fly - or restraints may be used in the generating procedures, such that each
passcode conforms to a prearranged constitution (like "abc-12345-efgh" where letters and numbers are randomly generated). Or, computer-produced passwords may be taken randomly from a list of words or nonsense syllables supplied by the pro-gram authors, thus creating passwords like nah.foop" or "car-back-tree".

Half and halves are partially user-supplied, while the rest is composed by some random proc-ess. This means that even if a user supplies the eas-ily-guessed password "secret," the computer will tack on some abstruse gibberish at the end, forming a more secure password such as "secret/5rhll".

Pass phrases are good in that they are long and hard to guess, but easily remembered. Phrases may be coherent, such as It we were troubled by that," or they may be nonsensical: "fished up our nose." Pass phrases are used when the manager of a site is particularly security-conscious. Usually you don't see pass
phrases required by a system, although the programming required to enforce a pass phrase rule is trivial.

Related to the pass phrase concept is the phrase acronym, which security experts have been ap-plauding as a short but equally safe form of pass-word. In a phrase acronym, the user takes an easily remembered sentence, phrase, line from a song or poem or other such thing, and uses the first letter of each word as the password.

For example, the acro-nyms for the two pass phrases above would be wwtbV and "fuon." You can see that innovations in password theory such as this will greatly increase the difficulty hackers will encounter in fu-ture electronic espionage.

The sixth password type, question-and-answer sequences, requires the user to supply answers to several (usually personal) questions: "Spouse's maiden name?", "Favorite color?", etc. The com-puter will have stored the answers to many such questions, and upon login will prompt for the an-swer to two or three of them.
These ques-tion/answer sessions can be delicious to the hacker who is intimately familiar with the user whom he or she is attempting to impersonate. Systems which use question-and-answer sequences also tend to be programmed to interrupt users while online every X minutes, and require them to answer a question to
reaffirm their validity. This can get pretty annoy-ing, especially if someone's in the middle of an ex-citing online game when it happens. Q&A is used only rarely nowadays. When it was first proposed it seemed like a good idea, but the bothersome fac-tor has resulted in this method being pretty much phased out.

Passwords which are predetermined by code-indicating coordinates usually rely on some external device, such as the code wheels used to de-ter software piracy. In any case, a set of key prompts are offered by the computer, and the user is required to return the appropriate responses to them. You'll often see this type of
password being used on a system with once-only codes.

Once-only codes are passwords valid for only one access. Sometimes they are used as temporary guest accounts to demonstrate a system to potential clients. Onceonly codes may also be employed by the system to allow actual users to log in for the first time; the users will then be expected to change their password from the one provided to a more se-cure, personal code. In situations where groups of people must log in, but security must be main-tained, a list of once-only codes may be provided. Users then extract one code at a time, depending on external factors such as time, date or day. Maybe you can find a list of codes by going through the garbage of a place? The codes won't work anymore, but you'll get a sense of what the system expects from you.