A password is a form of authentication which uses secret data to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly. The use of passwords goes back to ancient times. Sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password. In modern times, passwords are used to access control to protected computer operating systems, mobile phones, cable TV decoders, Automated Teller Machine (ATMs), etc. A typical computer user may require passwords for many purposes, including logons to computer accounts, retrieving email from servers, accessing databases, networks and web sites, even reading the morning newspaper online. Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desirable property). Note that ''password'' is often used to describe what would be more accurately called a pass phrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be memorized. ==Security and convenience== In controlling access to anything, a trade-off is made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password policy are affected by several factors addressed below. However, there is no one best way to set a proper balance between security and convenience. Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site. Others pose modest economic or privacy risk, a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records or control a power transmission grid. ==Factors in the security of a password system== The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security. See computer security and computer insecurity. Here are some password management issues that must be considered: ===Rate at which an attacker can try out guessed passwords=== The rate at which an attacker can submit guessed passwords is a key factor in determining system security. Some systems impose a long time out after a small number (e.g. 3) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords as long as they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, automobile license plate numbers and default passwords such as ''admin'' or ''1234''. Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is common, an attacker can try out passwords at a very high rate, perhaps using widely available lists of common passwords. Passwords that are used to generate cryptographic keys, e.g for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in these systems. ===Form of stored passwords=== Some systems store passwords as plain text. If an attacker gains access to the password file, all passwords are compromised. If some users employ the same password for multiple accounts, those will be compromised as well. Better systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, whilst validation still remains possible. A common cryptographic scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the password and, usually, another value known as a salt (cryptography). The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of DES was used in early Unix systems. If the hash function is well designed, it is computationally infeasible to reverse it to find the plaintext directly. However, if an attacker can gain access to the hashed values (and many systems do not protect them adequately), he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available and the tools try common variations as well. These dictionary attack tools demonstrate by existence the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk. Unfortunately, there is a fundamental conflict between this use of hash functions and the needs of challenge-response authentication; the latter requires both parties to prove to each other that they know what the shared secret (the password) is, and to do this, the server end needs to be able to obtain the shared secret from its stored form. On Unix-type systems doing remote authentication, the shared secret becomes the hashed form of the password, not the unhashed form; if an attacker can obtain a copy of the hashed password, they will be able to access the system remotely, even without being able to determine what the original unhashed password was. ===Method of relaying password to the authenticator=== Passwords can be vulnerable to snooping while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by Telephone tapping methods. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection. Cable modems may be more vulnerable to snooping than DSL and dialup connections, and ethernet may or may not be snoopable, depending particularly on the choice of networking hardware and wiring. Some organizations have noted a significant increase in stolen accounts after users began logging in over cable connections. The risk of interception of passwords sent over the Internet can be reduced with the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use. See cryptography for other ways in which the passing of information can be made more secure. ===Procedures for changing passwords=== Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database. If the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirming e-mail message. Identity management systems are increasingly used to automate issuance of replacements for lost passwords. The user's identity is verified by asking questions and comparing the answers to ones previously stored. Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be guessed, determined by research, or obtained through social engineering (computer security). While many users have been trained never to reveal a password, few consider the name of their favorite movie to require similar care. ===Longevity of a password=== Forcing users to change passwords frequently (quarterly, monthly or even more often) ensures that a valid password in the wrong hands will eventually become unusable. Many operating systems provide such features, though they are not universally used. Their security benefits are limited by because attackers often exploit a password as soon as it is compromised. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires. Forcing password change too frequently may make users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse an earlier password, which may negate any added security benefit. Implementing such a policy requires careful consideration of human factors. ===Number of users per password=== Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer security, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits). Allotting separate passwords to each user of a system is usually preferable to having a single password shared by legitimate users of the system. This is partly because people are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records. ===Design of the protected software=== Common techniques used to improve the security of software systems protected by a password include: *not echoing the password on the display screen as it is being entered *allowing passwords of adequate length (some Unix systems limited passwords to 8 characters). *requiring users to re-enter their password after a period of inactivity *enforcing a password policy to ensure strong passwords *requiring periodic password changes *assigning passwords at random *providing an alternative to keyboard entry The more stringent measures run a risk of alienating users. ==Factors in the security of an individual password == ===Likelihood that a password can be guessed=== Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed. * Many users do not change the default password that comes with many computer security systems. Lists of default passwords are available on the Internet. * A password might be guessable if a user chooses an easily-discovered piece of personal information as a password (such as a student ID number, a boy- or girlfriend's name, a birthday, a telephone number, or a license plate number). Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using Social engineering (computer security) techniques, such as posing as an opinion surveyor. * A password is vulnerable if it can be found in a list. Dictionaries (often in computer-readable form) are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems. * A too short password, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash of the password. Computers are now fast enough to try all alphabetic passwords shorter than 7 characters, for example. A weak password would be one that was short or was a default, or which could be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. A strong password would be sufficiently long, random, or otherwise producible only by the user who chose it, so that 'guessing' for it will require too long a time. The length of time deemed to be 'too long' will vary with the attacker, with the attacker's resources, with the ease with which a password can be tried, and with the importance of the password to the attacker. So a student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time. 'Weak' and 'strong' have meaning only with regard to attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. In that context, the terms can have considerable precision. But note that a 'strong' password in this sense can still be stolen, tricked, or extorted from a user, collected from a keyboard logger, overheard by tapping some communications medium, or copied from a Post-It note or Rolodex. Examples of weak passwords include ''admin'', ''1234'', ''susan'', ''password'', ''rover'' and ''12/3/75''; most of these would be easily found with a dictionary search attack, and the last is likely some personally significant date readily discoverable with a little research. Examples of stronger passwords would be ''tastywheeT34'', ''partei@34!'', and ''#23kLLflux''. These passwords are longer and use combinations of lower and upper case letters, digits and symbols. They are unlikely to be in any password cracking word list and are sufficiently long to make direct brute force search impractical in most circumstances. Note that some systems do not allow symbols like ''#'', ''@'' and ''!'' in passwords and they may hard to find on some country-specific keyboards. In such cases, adding another letter or number or two may offer equivalent security. Also note that, having been published in this article as password examples, these are ''no longer good choices'': examples from publicly accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack. The strongest method for generating passwords is to select sufficient characters at random, but such passwords are generally the most difficult to remember. Some users develop mnemonic phrases that have the random letters as the initial of each word. Another way to make random passwords more memorable is to use random words (see diceware) or syllables instead of random letters. Personal mnemonics are sometimes recommended, that is, things that are memorable to you, but not to others, for example, the password ''Iw21wIfvP'', a difficult to remember string, derives from "I was 21 when I first visited Paris", possibly easily remembered. However, if your first experience of Paris is important to you, it may be possible to guess this password from knowledge of you, and then this would ''not'' be a sensible password choice. ===Likelihood that a password can be remembered=== The most secure passwords are long, random strings of characters. For the same number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed). Unfortunately from a security perspective, such passwords are quite hard for most people to remember. Forcing users to use system-created 'random passwords' ensures the password will have no connection with that user and shouldn't be found in any dictionary. Several operating systems have included such a feature. While helpful from a security viewpoint, many users resent such measures and user cooperation is generally essential for security. Computer users are generally advised "never write a password down anywhere, no matter what" and "never use the a password for more than one account." These maxims, while sound in theory, ignore the reality that an ordinary computer user may have dozens of password-protected accounts. They have the unintended consequence that many users select weak passwords, even for important accounts, and end up using the same password everywhere. If passwords are written down, they should never be kept in obvious places such as address books, Rolodex files, under drawers or keyboards or behind pictures. The worst, but all too common, location is a Post-it note near the computer. Better locations are a safety deposit box or a locked file approved for information of comparable sensitivity to that protected by the password. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to use a single password for low security accounts and select separate, strong passwords for a smaller number high value applications such as on-line banking. At a 2005 security conference, an expert from Microsoft was quoted as saying: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them." [http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html?tag=nefd.pop] Whether it is worse to use weak passwords that are memorized or strong passwords that are written down can provoke fierce debate among experts. Practical security often requires balancing conflicting requirements and human factors. ===Likelihood that a password can be discovered=== Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail, threats, or other methods. Dumpster diving is surprisingly fruitful for situations in which sensitive printed data is discarded with insufficient precaution (as evidenced by the recent rise in identity theft). Approximate password length can be discovered even without shoulder surfing by simply counting keyboard clicks or noting finger motions. Research published by IBM in 2004 shows that each key on a keyboard has a distinctive acoustic signature, allowing keyed in data, including passwords, to be recovered by analyzing recordings from a covert listening device or "bug." ''See:'' Acoustic cryptanalysis. Obtaining passwords by psychological manipulation of users is an example of social engineering (computer security). An attacker might telephone a user and say "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" Systems administrators and other support staff will very rarely, if ever, need to know a user's password in order to perform their jobs. System administrators with "root" or superuser privileges can change the users' passwords without their permission, so they have no need whatsoever to ask for it. In addition, they will go out of their way ''not'' to ask for a password, precisely because they do not want to encourage the habit of giving passwords to anyone. ==Alternatives to passwords for access control== The numerous ways in which reusable passwords can be compromised has prompted the development of other techniques. Unfortunately, none of them has become universally available for users seeking a more secure alternative. *One-time password. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as TANs. As most home users only perform a small number of transactions each week, the single use issue has not lead to significant customer dissatisfaction in this case. *Security tokens are similar to single passwords, but the value to be entered is displayed on a small fob and changes every minute or so. *Access controls based on public key cryptography e.g. SSH. The necessary keys are too large to memorize and must be stored on a local computer, security token or portable memory device, such as a keydrive or floppy disk. *Biometric methods promise authentication based on unalterable personal characteristics, but currently (2005) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. Because these characteristics are unalterable, it can be difficult to reuse them if they are comprised, such as by unauthorized fingerprint lifting or close eye photographing. *Single sign-on technology is supposed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers nor administrators from ensuring that private access control information passed among systems enabling single signon is secure against attack. As yet, no satisfactory standard has been widely adopted. ==Passwords in fiction== Password use is often depicted in fiction, Illya Kuryakin 'proving' his identity to the The Man from U.N.C.L.E. security door with a code word, or Harry Potter (character) giving a password to a magic painting to enter his dormitory. Famous fictional passwords include ''open sesame'' from the Arabian Nights' tale of ''The Forty Thieves'' and ''Rumplestiltskin''. ==External links== * [http://www.windowsecurity.com/articles/Passwords-Attacks-Solutions.html Passwords - Common Attacks and Possible Solutions] * [http://www.xml-dev.com/blog/?action=viewtopic&id=122 Enforcing use of cryptographically strong password] * [http://psynch.com/docs/choosing-good-passwords.html Choosing good passwords] * [http://psynch.com/docs/password-management-best-practices.html Password management best practices] * [http://www.cirt.net/cgi-bin/passwd.pl List of default passwords listed by vendor] ==See also== * Password policy * Password length parameter * Password length equation * Password cracking * Shadow password * Password_synchronization * Self_Service_Password_Reset Cryptography Authentication methods
I've removed some information about biometrics from the article as it wasn't really about passwords, I'll be moving it to a new article about user identification. --User:Imran 00:50, 10 Jan 2004 (UTC) ---------- Imran, You are, strictly, correct. However, password is taken in practice by many of the (non security specialist) user community to be anything which is used as access control. Hence my comments. I was attempting to make the issue of adequacy of access controls explicit, and so to inform the reader on something that is almost always implicitly assumed to be sufficient. Security is an odd thing in that humans characteristically have considerable difficulty in even seeing it (a figure / ground problem I suspect) and when thinking about it, thinking clearly. My comments were, thus, intended to inform where information was not even suspected to be needed. In a modest sense, of course! Perhaps a revision of the articles in this area into something like 'access control' which is pointed at by password, biometrics, user identification, ... This would allow some discussion of meta issues not strictly belonging in any of the referencing articles. ?? ww -------- The article said it was "sensible" for the system to give the user a randomly generated password. '''Please don't write such things. Don't treat the users as pawns that exist to serve the computer system. It is the other way round'''. Sorry for venting. Been bitten by this attitude more than once in real life. Anyway the above is just one example of the fact that this article has a non-obvious type of POV: a security-POV. It assumes that the computer security is the most important thing in the world and everything else is secondary. A perfect example is the last paragraph: ''If even the smallest possibility exists that the password has become known to anyone other than those to whom it 'belongs', it should be considered compromised, and immediately changed.'' This is obviously never the case in reality, for no-one can expend infinite amounts of resourced in securing computers, and there's always a tradeoff between the level of security you get and users' productivity. I'm starting to get the feeling that many other security articles also have this POV. It is no more acceptable than other types of POV, and needs to be fixed. -- User:Arvindn 03:54, 18 Apr 2004 (UTC) :Arvindn, If security is not the point of using passwords, why bother. If you bother to use them at all, then any chance of compromise ... Not clear this is POV at all for anyone using passwords. :As for the 'sensible' comment, you are not the only one to have been bitten by this. VMS (and other operating systems) had/has(?) an auto password generation option. Every single user I had hated it when we required them to use it after 'too many' passwords got loose. That should be read, by the way, as 'we learned of too many'. How many actually got loose was and remains unknown. It was experience speaking there. And the intent was to convey that '...from an ideal security perspective...' etc. Reword as desired to make this clear if the original intent is acceptable. I agree with the bold faced sentiment, and in the VMS experience noted here, was implementing policy from above. :I considering writing a paragraph or two on adequate alternatives to such passwords, but figured that I'd catch flak for being too long winded. Would you think such a para or two would be appropriate? :User:Ww 17:43, 18 Apr 2004 (UTC) -------- IIRC, user rights are determined per UID, and UID is given from a unique username/password combo. On the first UNIX systems (and on some current ones), you may very well have (hopefully) different passwords for the same username, resulting in multiple UIDs. =="Writing down passwords" suggestion== I removed the following text: :A possible way by which one could get away with having one's password written down would be to have it written in a place in a list of false passwords. If one uses a weak password, the list should be full of false week passwords. If one uses a strong passwords, false strong passwords should be used. Thus, instead of having to recall a seemingly random alphanumeric string, one needs only remember what login goes with which password. Numbering the list can help with that. However, this measure should be taken if there is no other way for the user to remember his or her password. I don't think this is good advice. If you have a list of passwords and non-passwords, you are dramatically reducing the number of passwords that need to be checked. "Never write down a password" is better and more straightforward advice. --User:Huppybanny 21:54, Aug 16, 2004 (UTC) : I agree with this removal (in fact, I'd planned to do it myself when I came in today...); has any security expert endorsed this idea? User:Matt Crypto 23:41, 16 Aug 2004 (UTC) :: I agree having a list of false passwords does not provide good cover and is not significantly more secure than having the password written down. However, "Never write down a password" is not strictly correct. It depends on your threat model. User:Peter Hendrickson 03:38, 18 Aug 2004 (UTC) ::: Indeed; writing down your password can provide better security in many situations. Schneier: "''You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash.''" (emph mine) [http://www.schneier.com/crypto-gram-0105.html] User:Matt Crypto 02:29, 19 Aug 2004 (UTC) ::::Matt, Much as I admire Schneier, I think he's wrong on this. Password Safe (his freeware password database program) is probably very good and all, and 'long random passwords' are certainly good in many respects, but anything which lets the user shuffle off his responsibilities to safeguard these little chunks of key data to something or someone else is wrong psychologically. Even if PSafe were to be perfect, it would still be bad advice. We h sap don't do this sort of stuff very well, and apparently need have our noses rubbed in it more or less continuously to do even as well as we can. Peter's observation above about dependence on your threat model is quite relevant. Missing in Schneier's comment, and exceptionally hard to sensibly apply, but quite relevant. User:Ww 16:34, 20 Aug 2004 (UTC) :::::Well, it does depend on the threat model. We're happy to carry around keys to things like cars and houses on our person; this is considered an acceptable risk, even though there's a chance the keys could be stolen. In many cases passwords protect less valuable information (think Hotmail). For these cases, why is it a horrendous security failing to write down a password and keep it in your wallet? There's a compelling argument to use an unguessable password stored in your wallet rather than memorise a guessable password. Regardless, getting back to the article, we clearly need to modify statements such as "''most observers regard written down passwords as necessarily insecure''". User:Matt Crypto 07:13, 21 Aug 2004 (UTC) == Diceware == Perhaps we should mention [http://www.diceware.com diceware]? This is the best system for producing a strong password: * Diceware can provide very strong passwords. * The password/passphrase is fairly easy to remember. * The password/passphrase is truly random. * It is possible to quantize the strength associated with a diceware password. The only drawback of diceware is that the passwords are quite long. They take longer to type. So it works best for high-security situations (such as protecting a private PGP key). This is my first time contributing to Wikipedia. I want to make sure I don't step on anyone's toes. Would it be alright if I add a Wiki page about diceware and then add a section to the Password page about diceware? : Go for it, your contribution would be very welcome! I'd encourage you to try and write in a neutral fashion about Diceware (even though it's great) — try and avoid advocacy, if you can. If you need any help on formatting / other queries, I'd be glad to help. User:Matt Crypto 02:19, 19 Aug 2004 (UTC) ::Dcarrera, Always glad to see bravery in those new to WP! I second Matt's comment (Go for it!), and agree with his observation about P(oint)O(f)V(iew). An example of such is "This is the best system for producing a strong password:". A point which would be hard to defend against a claim of POV. Some attention might also be paid to the "...password is truly random." observation. This is a veritable tarpit of confusion, trapping many insufficiently suspicious folk, probably because of the many oh so tempting! (but wrong) ways of thinking about random and randomness. ::But on the question of password choice, usability is relevant in real world situations (see Arvindn's comment above), and must be considered lest users rise up and lynch the system admins for making their lives secure, but hell on earth otherwise. When people are involved, sensible security design becomes something of a black art and requires the patience of Job, the knowledge/perspective of a Turing, the ruthlessness of a Bismark, and the luck of the Irish. Since these are seldom available simultaneously, security design in the real world becomes the art of the possible. An infuriating situation for those who like clarity, logic, and finality. Much like herding cats, really. ::Don't worry over much about stepping on toes. By getting involved here, you agree not to object, and so did everyone else. It's good for egos which need a little reshaping. Nonetheless, it's an interesting place, and I applaud your concern for others. It's a trait WP needs more of, albeit while being BOLD in editing. If you're interested in security and crypto (not quite the same things, mostly) you might wish to check in at Wikipedia:WikiProject Cryptography to see how things are (somewhat) organized in the WP crypto corner. User:Ww 16:29, 20 Aug 2004 (UTC) == Writing down password - security flaw or not? == It appears that Microsoft's Jesper Johanssen thinks that users ''should'' write down passwords. See [http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html?tag=nefd.ac]. Perhaps we should note this? - User:Ta bu shi da yu 07:24, 9 Jun 2005 (UTC) :We already do. See "Likelihood that a password can be remembered." Wikipedia had this advice before Mr. Johanssen's remarks. --User:ArnoldReinhold 10:43, 9 Jun 2005 (UTC)
User:Ilyanep — Ilγαηερ">User:Ilyanep (Tαlκ)">User talk:Ilyanep 14:43, 19 Sep 2004 (UTC) Hi, there. Just so you know, cutting and pasting from most Internet sites is a violation of copyright. Not doing that keeps everyone from getting into trouble, y'know. Otherwise, welcome to the club! - User:Lucky 6.9 15:50, 19 Sep 2004 (UTC) ==Public domain== You're probably OK with the public domain part, but not all government text is public domain. If it's from the US Government, it ''is'' public domain and if that's the case with your contributions, they can be reverted back to the original posting rather easily. Hope this clears things up. Better to be safe than sorry. - User:Lucky 6.9 17:33, 19 Sep 2004 (UTC) Much of the public domain information your are contributing appears to be useful material, but it's important that it's all edited to conform to Wikipedia style. Articles like snake teeth need splitting up into paragraphs, linking to other articles, and rewording in places. Your contributions are welcomed, but can I ask that you go through them to make them look like normal Wikipedia articles before you contribute them? Thanks. — User:Trilobite User_talk:Trilobite 21:55, 19 Sep 2004 (UTC) Please see Wikipedia:Manual of Style. When you copy this stuff over, please edit it accordingly. User:RickKUser talk:RickK 22:01, Sep 19, 2004 (UTC) *Hi, Password. Have you heard about Wikisource? That's the Wikimedia source text repository. Why not get an account there (mine is Wikisource:User:Ardonik) and add the texts down that way? The Wikipedia was never meant to be a dumping ground for source texts. We make articles ''about'' notable works, but don't just include the text literally unless we can make extensive, running commentaries--''even if the source is public domain.''
We could really use the help of someone with your enthusiasm over at Wikisource. Post a message at the Wikisource:Wikisource:Scriptorium if you have any questions about what to do. Once we've incorporated some of your texts, we can link to them from some of the Wikipedia articles (where appropriate.) --User:Ardonik.User talk:ArdonikUser:Ardonik/I ate my cat 22:43, Sep 19, 2004 (UTC) **Password, this verbatim copying must stop. It's not that we don't accept source texts--it's just that the project that you're looking for is called "Wikisource" and not "Wikipedia." If you need help getting set up over there, leave a message on User talk:Ardonik. But if you keep cutting and pasting text into this encyclopedia, it will eventually be voted for deletion. Please respond! --User:Ardonik.User talk:ArdonikUser:Ardonik/I ate my cat 01:25, Sep 20, 2004 (UTC) == LOC copyrights == Hi Password, Please remember to check the copyright information before copying information from the Library of Congress. Just because it's a .gov site, does not automatically mean that it's all public domain. Many of the texts they host are still under copyright and shouldn't be copied to Wikipedia. The dance manual, specifically, shouldn't be copied here without permission: http://memory.loc.gov/ammem/dihtml/dires.html User:Rhobite 01:12, Sep 20, 2004 (UTC) == 1911 articles == For 1911 articles please follow these guidelines: 1911_Encyclopaedia_Britannica. Sometimes no article is better than a raw dump of a 1911 article. Also, the scaned copies of the 1911 that can be found on the Internet are copyright. You will need to own a hard copy typically, and scan or hand enter it yourself. The copyright versions are easy to spot because they contain the same scanning errors and missing text from the original.User:Stbalbach 08:22, 21 Sep 2004 (UTC)
See other meanings of words starting from letter:
Words begining with Password:
Password
Password
Password
Passwordispassword
Passwordremindertext
Passwordremindertext
Passwordremindertitle
Passwords
Passwords
Passwordsent
Password_(disambiguation)
Password_(game)
Password_(game_show)
Password_(video_games)
Password_(video_games)
Password_(video_games)/to_do
Password_Authentication_Protocol
Password_Authentication_Protocol
Password_authentication_protocol
Password_authentication_protocol
Password_cracker
Password_cracking
Password_cracking
Password_game
Password_length_equation
Password_length_parameter
Password_phishing
Password_Plus
Password_policy
Password_Repository
Password_Safe
Password_shadowing
Password_synchronization
Password
A password is a form of authentication which uses secret data to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly. The use of passwords goes back to ancient times. Sentries guarding a location would challenge for a password. They would only allow a person in if they knew the password. In modern times, passwords are used to access control to protected computer operating systems, mobile phones, cable TV decoders, Automated Teller Machine (ATMs), etc. A typical computer user may require passwords for many purposes, including logons to computer accounts, retrieving email from servers, accessing databases, networks and web sites, even reading the morning newspaper online. Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words are harder to guess (a desirable property). Note that ''password'' is often used to describe what would be more accurately called a pass phrase. Passcode is sometimes taken to imply that the information used is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be memorized. ==Security and convenience== In controlling access to anything, a trade-off is made between security and convenience. If a resource is protected by a password, then security is increased with a consequent loss of convenience for users. The amount of security and inconvenience inherent in a particular password policy are affected by several factors addressed below. However, there is no one best way to set a proper balance between security and convenience. Some password protected systems pose little or no risk to a user if compromised, for example a password allowing access to a free information web site. Others pose modest economic or privacy risk, a password used to access e-mail or a security lock code for a mobile telephone. Still others could have very serious consequences if compromised, such as passwords used to limit access to AIDS treatment records or control a power transmission grid. ==Factors in the security of a password system== The security of a password-protected system depends on several factors. The system must, of course, be designed for sound overall security. See computer security and computer insecurity. Here are some password management issues that must be considered: ===Rate at which an attacker can try out guessed passwords=== The rate at which an attacker can submit guessed passwords is a key factor in determining system security. Some systems impose a long time out after a small number (e.g. 3) of failed password entry attempts. Absent other vulnerabilities, such systems can be secure with relatively simple passwords as long as they are not easily guessed. Examples of passwords that are easily guessed include the name of a relative or pet, automobile license plate numbers and default passwords such as ''admin'' or ''1234''. Other systems store or transmit a cryptographic hash of the password in a manner that makes the hash value accessible to an attacker. When this is done, and it is common, an attacker can try out passwords at a very high rate, perhaps using widely available lists of common passwords. Passwords that are used to generate cryptographic keys, e.g for disk encryption or Wi-Fi security, are also subject to high rate guessing. Stronger passwords are needed in these systems. ===Form of stored passwords=== Some systems store passwords as plain text. If an attacker gains access to the password file, all passwords are compromised. If some users employ the same password for multiple accounts, those will be compromised as well. Better systems store each password in a cryptographically protected form, so access to the actual password will be difficult for a snooper who gains internal access to the system, whilst validation still remains possible. A common cryptographic scheme stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, it is run through the hashing algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the password and, usually, another value known as a salt (cryptography). The salt prevents attackers from building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions. A modified version of DES was used in early Unix systems. If the hash function is well designed, it is computationally infeasible to reverse it to find the plaintext directly. However, if an attacker can gain access to the hashed values (and many systems do not protect them adequately), he can use widely available tools which compare the encrypted outcome of every word from some collection, such as a dictionary. Long lists of possible passwords in many languages are widely available and the tools try common variations as well. These dictionary attack tools demonstrate by existence the relative strengths of different password choices against such attacks. Use of a key derivation function can reduce this risk. Unfortunately, there is a fundamental conflict between this use of hash functions and the needs of challenge-response authentication; the latter requires both parties to prove to each other that they know what the shared secret (the password) is, and to do this, the server end needs to be able to obtain the shared secret from its stored form. On Unix-type systems doing remote authentication, the shared secret becomes the hashed form of the password, not the unhashed form; if an attacker can obtain a copy of the hashed password, they will be able to access the system remotely, even without being able to determine what the original unhashed password was. ===Method of relaying password to the authenticator=== Passwords can be vulnerable to snooping while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by Telephone tapping methods. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection. Cable modems may be more vulnerable to snooping than DSL and dialup connections, and ethernet may or may not be snoopable, depending particularly on the choice of networking hardware and wiring. Some organizations have noted a significant increase in stolen accounts after users began logging in over cable connections. The risk of interception of passwords sent over the Internet can be reduced with the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use. See cryptography for other ways in which the passing of information can be made more secure. ===Procedures for changing passwords=== Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in an unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database. If the new password is given to a compromised employee, little is gained. Some web sites include the user-selected password in an unencrypted confirming e-mail message. Identity management systems are increasingly used to automate issuance of replacements for lost passwords. The user's identity is verified by asking questions and comparing the answers to ones previously stored. Typical questions include "Where were you born?," "What is your favorite movie?" or "What is the name of your pet?" In many cases the answers to these questions can be guessed, determined by research, or obtained through social engineering (computer security). While many users have been trained never to reveal a password, few consider the name of their favorite movie to require similar care. ===Longevity of a password=== Forcing users to change passwords frequently (quarterly, monthly or even more often) ensures that a valid password in the wrong hands will eventually become unusable. Many operating systems provide such features, though they are not universally used. Their security benefits are limited by because attackers often exploit a password as soon as it is compromised. In many cases, particularly with administrative or "root" accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires. Forcing password change too frequently may make users more likely to forget which password is current, and there is a consequent temptation for users to either write their password down or to reuse an earlier password, which may negate any added security benefit. Implementing such a policy requires careful consideration of human factors. ===Number of users per password=== Sometimes a single password controls access to a device, for example, for a network router, or password-protected mobile phone. However, in the case of a computer security, a password is usually stored for each user name, thus making all access traceable (save, of course, in the case of users sharing passwords). A would-be user must give a name as well as a password. If the user supplies a password matching the one stored for the supplied user name, he or she is permitted further access into the computer system. This is also the case for a cash machine, except that the user name is the account number stored on the bank customer's card, and the PIN is usually quite short (4 to 6 digits). Allotting separate passwords to each user of a system is usually preferable to having a single password shared by legitimate users of the system. This is partly because people are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult. Per-user passwords are also essential if users are to be held accountable for their activities, such as making financial transactions or viewing medical records. ===Design of the protected software=== Common techniques used to improve the security of software systems protected by a password include: *not echoing the password on the display screen as it is being entered *allowing passwords of adequate length (some Unix systems limited passwords to 8 characters). *requiring users to re-enter their password after a period of inactivity *enforcing a password policy to ensure strong passwords *requiring periodic password changes *assigning passwords at random *providing an alternative to keyboard entry The more stringent measures run a risk of alienating users. ==Factors in the security of an individual password == ===Likelihood that a password can be guessed=== Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed. * Many users do not change the default password that comes with many computer security systems. Lists of default passwords are available on the Internet. * A password might be guessable if a user chooses an easily-discovered piece of personal information as a password (such as a student ID number, a boy- or girlfriend's name, a birthday, a telephone number, or a license plate number). Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using Social engineering (computer security) techniques, such as posing as an opinion surveyor. * A password is vulnerable if it can be found in a list. Dictionaries (often in computer-readable form) are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems. * A too short password, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash of the password. Computers are now fast enough to try all alphabetic passwords shorter than 7 characters, for example. A weak password would be one that was short or was a default, or which could be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. A strong password would be sufficiently long, random, or otherwise producible only by the user who chose it, so that 'guessing' for it will require too long a time. The length of time deemed to be 'too long' will vary with the attacker, with the attacker's resources, with the ease with which a password can be tried, and with the importance of the password to the attacker. So a student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time. 'Weak' and 'strong' have meaning only with regard to attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. In that context, the terms can have considerable precision. But note that a 'strong' password in this sense can still be stolen, tricked, or extorted from a user, collected from a keyboard logger, overheard by tapping some communications medium, or copied from a Post-It note or Rolodex. Examples of weak passwords include ''admin'', ''1234'', ''susan'', ''password'', ''rover'' and ''12/3/75''; most of these would be easily found with a dictionary search attack, and the last is likely some personally significant date readily discoverable with a little research. Examples of stronger passwords would be ''tastywheeT34'', ''partei@34!'', and ''#23kLLflux''. These passwords are longer and use combinations of lower and upper case letters, digits and symbols. They are unlikely to be in any password cracking word list and are sufficiently long to make direct brute force search impractical in most circumstances. Note that some systems do not allow symbols like ''#'', ''@'' and ''!'' in passwords and they may hard to find on some country-specific keyboards. In such cases, adding another letter or number or two may offer equivalent security. Also note that, having been published in this article as password examples, these are ''no longer good choices'': examples from publicly accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack. The strongest method for generating passwords is to select sufficient characters at random, but such passwords are generally the most difficult to remember. Some users develop mnemonic phrases that have the random letters as the initial of each word. Another way to make random passwords more memorable is to use random words (see diceware) or syllables instead of random letters. Personal mnemonics are sometimes recommended, that is, things that are memorable to you, but not to others, for example, the password ''Iw21wIfvP'', a difficult to remember string, derives from "I was 21 when I first visited Paris", possibly easily remembered. However, if your first experience of Paris is important to you, it may be possible to guess this password from knowledge of you, and then this would ''not'' be a sensible password choice. ===Likelihood that a password can be remembered=== The most secure passwords are long, random strings of characters. For the same number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed). Unfortunately from a security perspective, such passwords are quite hard for most people to remember. Forcing users to use system-created 'random passwords' ensures the password will have no connection with that user and shouldn't be found in any dictionary. Several operating systems have included such a feature. While helpful from a security viewpoint, many users resent such measures and user cooperation is generally essential for security. Computer users are generally advised "never write a password down anywhere, no matter what" and "never use the a password for more than one account." These maxims, while sound in theory, ignore the reality that an ordinary computer user may have dozens of password-protected accounts. They have the unintended consequence that many users select weak passwords, even for important accounts, and end up using the same password everywhere. If passwords are written down, they should never be kept in obvious places such as address books, Rolodex files, under drawers or keyboards or behind pictures. The worst, but all too common, location is a Post-it note near the computer. Better locations are a safety deposit box or a locked file approved for information of comparable sensitivity to that protected by the password. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to use a single password for low security accounts and select separate, strong passwords for a smaller number high value applications such as on-line banking. At a 2005 security conference, an expert from Microsoft was quoted as saying: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them." [http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html?tag=nefd.pop] Whether it is worse to use weak passwords that are memorized or strong passwords that are written down can provoke fierce debate among experts. Practical security often requires balancing conflicting requirements and human factors. ===Likelihood that a password can be discovered=== Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail, threats, or other methods. Dumpster diving is surprisingly fruitful for situations in which sensitive printed data is discarded with insufficient precaution (as evidenced by the recent rise in identity theft). Approximate password length can be discovered even without shoulder surfing by simply counting keyboard clicks or noting finger motions. Research published by IBM in 2004 shows that each key on a keyboard has a distinctive acoustic signature, allowing keyed in data, including passwords, to be recovered by analyzing recordings from a covert listening device or "bug." ''See:'' Acoustic cryptanalysis. Obtaining passwords by psychological manipulation of users is an example of social engineering (computer security). An attacker might telephone a user and say "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" Systems administrators and other support staff will very rarely, if ever, need to know a user's password in order to perform their jobs. System administrators with "root" or superuser privileges can change the users' passwords without their permission, so they have no need whatsoever to ask for it. In addition, they will go out of their way ''not'' to ask for a password, precisely because they do not want to encourage the habit of giving passwords to anyone. ==Alternatives to passwords for access control== The numerous ways in which reusable passwords can be compromised has prompted the development of other techniques. Unfortunately, none of them has become universally available for users seeking a more secure alternative. *One-time password. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as TANs. As most home users only perform a small number of transactions each week, the single use issue has not lead to significant customer dissatisfaction in this case. *Security tokens are similar to single passwords, but the value to be entered is displayed on a small fob and changes every minute or so. *Access controls based on public key cryptography e.g. SSH. The necessary keys are too large to memorize and must be stored on a local computer, security token or portable memory device, such as a keydrive or floppy disk. *Biometric methods promise authentication based on unalterable personal characteristics, but currently (2005) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. Because these characteristics are unalterable, it can be difficult to reuse them if they are comprised, such as by unauthorized fingerprint lifting or close eye photographing. *Single sign-on technology is supposed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers nor administrators from ensuring that private access control information passed among systems enabling single signon is secure against attack. As yet, no satisfactory standard has been widely adopted. ==Passwords in fiction== Password use is often depicted in fiction, Illya Kuryakin 'proving' his identity to the The Man from U.N.C.L.E. security door with a code word, or Harry Potter (character) giving a password to a magic painting to enter his dormitory. Famous fictional passwords include ''open sesame'' from the Arabian Nights' tale of ''The Forty Thieves'' and ''Rumplestiltskin''. ==External links== * [http://www.windowsecurity.com/articles/Passwords-Attacks-Solutions.html Passwords - Common Attacks and Possible Solutions] * [http://www.xml-dev.com/blog/?action=viewtopic&id=122 Enforcing use of cryptographically strong password] * [http://psynch.com/docs/choosing-good-passwords.html Choosing good passwords] * [http://psynch.com/docs/password-management-best-practices.html Password management best practices] * [http://www.cirt.net/cgi-bin/passwd.pl List of default passwords listed by vendor] ==See also== * Password policy * Password length parameter * Password length equation * Password cracking * Shadow password * Password_synchronization * Self_Service_Password_Reset Cryptography Authentication methods
Password
I've removed some information about biometrics from the article as it wasn't really about passwords, I'll be moving it to a new article about user identification. --User:Imran 00:50, 10 Jan 2004 (UTC) ---------- Imran, You are, strictly, correct. However, password is taken in practice by many of the (non security specialist) user community to be anything which is used as access control. Hence my comments. I was attempting to make the issue of adequacy of access controls explicit, and so to inform the reader on something that is almost always implicitly assumed to be sufficient. Security is an odd thing in that humans characteristically have considerable difficulty in even seeing it (a figure / ground problem I suspect) and when thinking about it, thinking clearly. My comments were, thus, intended to inform where information was not even suspected to be needed. In a modest sense, of course! Perhaps a revision of the articles in this area into something like 'access control' which is pointed at by password, biometrics, user identification, ... This would allow some discussion of meta issues not strictly belonging in any of the referencing articles. ?? ww -------- The article said it was "sensible" for the system to give the user a randomly generated password. '''Please don't write such things. Don't treat the users as pawns that exist to serve the computer system. It is the other way round'''. Sorry for venting. Been bitten by this attitude more than once in real life. Anyway the above is just one example of the fact that this article has a non-obvious type of POV: a security-POV. It assumes that the computer security is the most important thing in the world and everything else is secondary. A perfect example is the last paragraph: ''If even the smallest possibility exists that the password has become known to anyone other than those to whom it 'belongs', it should be considered compromised, and immediately changed.'' This is obviously never the case in reality, for no-one can expend infinite amounts of resourced in securing computers, and there's always a tradeoff between the level of security you get and users' productivity. I'm starting to get the feeling that many other security articles also have this POV. It is no more acceptable than other types of POV, and needs to be fixed. -- User:Arvindn 03:54, 18 Apr 2004 (UTC) :Arvindn, If security is not the point of using passwords, why bother. If you bother to use them at all, then any chance of compromise ... Not clear this is POV at all for anyone using passwords. :As for the 'sensible' comment, you are not the only one to have been bitten by this. VMS (and other operating systems) had/has(?) an auto password generation option. Every single user I had hated it when we required them to use it after 'too many' passwords got loose. That should be read, by the way, as 'we learned of too many'. How many actually got loose was and remains unknown. It was experience speaking there. And the intent was to convey that '...from an ideal security perspective...' etc. Reword as desired to make this clear if the original intent is acceptable. I agree with the bold faced sentiment, and in the VMS experience noted here, was implementing policy from above. :I considering writing a paragraph or two on adequate alternatives to such passwords, but figured that I'd catch flak for being too long winded. Would you think such a para or two would be appropriate? :User:Ww 17:43, 18 Apr 2004 (UTC) -------- IIRC, user rights are determined per UID, and UID is given from a unique username/password combo. On the first UNIX systems (and on some current ones), you may very well have (hopefully) different passwords for the same username, resulting in multiple UIDs. =="Writing down passwords" suggestion== I removed the following text: :A possible way by which one could get away with having one's password written down would be to have it written in a place in a list of false passwords. If one uses a weak password, the list should be full of false week passwords. If one uses a strong passwords, false strong passwords should be used. Thus, instead of having to recall a seemingly random alphanumeric string, one needs only remember what login goes with which password. Numbering the list can help with that. However, this measure should be taken if there is no other way for the user to remember his or her password. I don't think this is good advice. If you have a list of passwords and non-passwords, you are dramatically reducing the number of passwords that need to be checked. "Never write down a password" is better and more straightforward advice. --User:Huppybanny 21:54, Aug 16, 2004 (UTC) : I agree with this removal (in fact, I'd planned to do it myself when I came in today...); has any security expert endorsed this idea? User:Matt Crypto 23:41, 16 Aug 2004 (UTC) :: I agree having a list of false passwords does not provide good cover and is not significantly more secure than having the password written down. However, "Never write down a password" is not strictly correct. It depends on your threat model. User:Peter Hendrickson 03:38, 18 Aug 2004 (UTC) ::: Indeed; writing down your password can provide better security in many situations. Schneier: "''You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash.''" (emph mine) [http://www.schneier.com/crypto-gram-0105.html] User:Matt Crypto 02:29, 19 Aug 2004 (UTC) ::::Matt, Much as I admire Schneier, I think he's wrong on this. Password Safe (his freeware password database program) is probably very good and all, and 'long random passwords' are certainly good in many respects, but anything which lets the user shuffle off his responsibilities to safeguard these little chunks of key data to something or someone else is wrong psychologically. Even if PSafe were to be perfect, it would still be bad advice. We h sap don't do this sort of stuff very well, and apparently need have our noses rubbed in it more or less continuously to do even as well as we can. Peter's observation above about dependence on your threat model is quite relevant. Missing in Schneier's comment, and exceptionally hard to sensibly apply, but quite relevant. User:Ww 16:34, 20 Aug 2004 (UTC) :::::Well, it does depend on the threat model. We're happy to carry around keys to things like cars and houses on our person; this is considered an acceptable risk, even though there's a chance the keys could be stolen. In many cases passwords protect less valuable information (think Hotmail). For these cases, why is it a horrendous security failing to write down a password and keep it in your wallet? There's a compelling argument to use an unguessable password stored in your wallet rather than memorise a guessable password. Regardless, getting back to the article, we clearly need to modify statements such as "''most observers regard written down passwords as necessarily insecure''". User:Matt Crypto 07:13, 21 Aug 2004 (UTC) == Diceware == Perhaps we should mention [http://www.diceware.com diceware]? This is the best system for producing a strong password: * Diceware can provide very strong passwords. * The password/passphrase is fairly easy to remember. * The password/passphrase is truly random. * It is possible to quantize the strength associated with a diceware password. The only drawback of diceware is that the passwords are quite long. They take longer to type. So it works best for high-security situations (such as protecting a private PGP key). This is my first time contributing to Wikipedia. I want to make sure I don't step on anyone's toes. Would it be alright if I add a Wiki page about diceware and then add a section to the Password page about diceware? : Go for it, your contribution would be very welcome! I'd encourage you to try and write in a neutral fashion about Diceware (even though it's great) — try and avoid advocacy, if you can. If you need any help on formatting / other queries, I'd be glad to help. User:Matt Crypto 02:19, 19 Aug 2004 (UTC) ::Dcarrera, Always glad to see bravery in those new to WP! I second Matt's comment (Go for it!), and agree with his observation about P(oint)O(f)V(iew). An example of such is "This is the best system for producing a strong password:". A point which would be hard to defend against a claim of POV. Some attention might also be paid to the "...password is truly random." observation. This is a veritable tarpit of confusion, trapping many insufficiently suspicious folk, probably because of the many oh so tempting! (but wrong) ways of thinking about random and randomness. ::But on the question of password choice, usability is relevant in real world situations (see Arvindn's comment above), and must be considered lest users rise up and lynch the system admins for making their lives secure, but hell on earth otherwise. When people are involved, sensible security design becomes something of a black art and requires the patience of Job, the knowledge/perspective of a Turing, the ruthlessness of a Bismark, and the luck of the Irish. Since these are seldom available simultaneously, security design in the real world becomes the art of the possible. An infuriating situation for those who like clarity, logic, and finality. Much like herding cats, really. ::Don't worry over much about stepping on toes. By getting involved here, you agree not to object, and so did everyone else. It's good for egos which need a little reshaping. Nonetheless, it's an interesting place, and I applaud your concern for others. It's a trait WP needs more of, albeit while being BOLD in editing. If you're interested in security and crypto (not quite the same things, mostly) you might wish to check in at Wikipedia:WikiProject Cryptography to see how things are (somewhat) organized in the WP crypto corner. User:Ww 16:29, 20 Aug 2004 (UTC) == Writing down password - security flaw or not? == It appears that Microsoft's Jesper Johanssen thinks that users ''should'' write down passwords. See [http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html?tag=nefd.ac]. Perhaps we should note this? - User:Ta bu shi da yu 07:24, 9 Jun 2005 (UTC) :We already do. See "Likelihood that a password can be remembered." Wikipedia had this advice before Mr. Johanssen's remarks. --User:ArnoldReinhold 10:43, 9 Jun 2005 (UTC)
Password
User:Ilyanep — Ilγαηερ">User:Ilyanep (Tαlκ)">User talk:Ilyanep 14:43, 19 Sep 2004 (UTC) Hi, there. Just so you know, cutting and pasting from most Internet sites is a violation of copyright. Not doing that keeps everyone from getting into trouble, y'know. Otherwise, welcome to the club! - User:Lucky 6.9 15:50, 19 Sep 2004 (UTC) ==Public domain== You're probably OK with the public domain part, but not all government text is public domain. If it's from the US Government, it ''is'' public domain and if that's the case with your contributions, they can be reverted back to the original posting rather easily. Hope this clears things up. Better to be safe than sorry. - User:Lucky 6.9 17:33, 19 Sep 2004 (UTC) Much of the public domain information your are contributing appears to be useful material, but it's important that it's all edited to conform to Wikipedia style. Articles like snake teeth need splitting up into paragraphs, linking to other articles, and rewording in places. Your contributions are welcomed, but can I ask that you go through them to make them look like normal Wikipedia articles before you contribute them? Thanks. — User:Trilobite User_talk:Trilobite 21:55, 19 Sep 2004 (UTC) Please see Wikipedia:Manual of Style. When you copy this stuff over, please edit it accordingly. User:RickKUser talk:RickK 22:01, Sep 19, 2004 (UTC) *Hi, Password. Have you heard about Wikisource? That's the Wikimedia source text repository. Why not get an account there (mine is Wikisource:User:Ardonik) and add the texts down that way? The Wikipedia was never meant to be a dumping ground for source texts. We make articles ''about'' notable works, but don't just include the text literally unless we can make extensive, running commentaries--''even if the source is public domain.''
We could really use the help of someone with your enthusiasm over at Wikisource. Post a message at the Wikisource:Wikisource:Scriptorium if you have any questions about what to do. Once we've incorporated some of your texts, we can link to them from some of the Wikipedia articles (where appropriate.) --User:Ardonik.User talk:ArdonikUser:Ardonik/I ate my cat 22:43, Sep 19, 2004 (UTC) **Password, this verbatim copying must stop. It's not that we don't accept source texts--it's just that the project that you're looking for is called "Wikisource" and not "Wikipedia." If you need help getting set up over there, leave a message on User talk:Ardonik. But if you keep cutting and pasting text into this encyclopedia, it will eventually be voted for deletion. Please respond! --User:Ardonik.User talk:ArdonikUser:Ardonik/I ate my cat 01:25, Sep 20, 2004 (UTC) == LOC copyrights == Hi Password, Please remember to check the copyright information before copying information from the Library of Congress. Just because it's a .gov site, does not automatically mean that it's all public domain. Many of the texts they host are still under copyright and shouldn't be copied to Wikipedia. The dance manual, specifically, shouldn't be copied here without permission: http://memory.loc.gov/ammem/dihtml/dires.html User:Rhobite 01:12, Sep 20, 2004 (UTC) == 1911 articles == For 1911 articles please follow these guidelines: 1911_Encyclopaedia_Britannica. Sometimes no article is better than a raw dump of a 1911 article. Also, the scaned copies of the 1911 that can be found on the Internet are copyright. You will need to own a hard copy typically, and scan or hand enter it yourself. The copyright versions are easy to spot because they contain the same scanning errors and missing text from the original.User:Stbalbach 08:22, 21 Sep 2004 (UTC)
See other meanings of words starting from letter:
P
PA | PB | PC | PD | PE | PF | PG | PH | PI | PJ | PK | PL | PM | PN | PO | PR | PS | PT | PU | PW | PX | PY | PZ |Words begining with Password:
Password
Password
Password
Passwordispassword
Passwordremindertext
Passwordremindertext
Passwordremindertitle
Passwords
Passwords
Passwordsent
Password_(disambiguation)
Password_(game)
Password_(game_show)
Password_(video_games)
Password_(video_games)
Password_(video_games)/to_do
Password_Authentication_Protocol
Password_Authentication_Protocol
Password_authentication_protocol
Password_authentication_protocol
Password_cracker
Password_cracking
Password_cracking
Password_game
Password_length_equation
Password_length_parameter
Password_phishing
Password_Plus
Password_policy
Password_Repository
Password_Safe
Password_shadowing
Password_synchronization
These materials are based on Wikipedia and licensed under the GNU FDL
YouTube.com videos better site than Turbo Tax 2007
