The Disadvantages of Password Authentication Protocolby G.S. Jackson
The most basic form of user authentication, particularly on the Web, is the password authentication protocol. This method of authentication forces you to remember username/password combinations to access accounts or special sections of a website. While effective and in some ways fundamentally a part of online security, password authentication protocols fail when you don't address them seriously. This means constructing complex passwords and maintaining secrecy. This also means that entities implementing password authentication must safeguard passwords in some way.
Brute Force Attacks and Complexity
You typically can't guess a password unless you know something about the user of that password, and then only if the password represents something knowable about that user. Computer programs, however, can launch brute force attacks on password systems. This means that a program literally reads through a provided dictionary of terms, trying each word until the correct combination of characters breaks the password. Typically, protecting yourself from these attacks requires you to create complex passwords that include numbers, letters, and special symbols, which can be hard to remember.
Storage and Encryption
When you use password authentication, you must store passwords and usernames in a database to authenticate users. If you don't have strong server security, someone can break into the database and read the passwords. One way to address this is to use password "hashing," which involves running the password through a hash algorithm that produces a unique value based on the password and stores the hash value instead of the password itself. If the database is breached, the attacker can read only the hashes and have no idea what the passwords are. However, hashing in this sense exists only due to the inherent weakness of plain text password authentication.
Secrecy and Public Use
Like many people, you probably use the Internet in pubic places such as libraries or cafes. Inevitably, you'll also probably log into various websites using passwords while in this public place. This introduces multiple security issues inherent to password authentication. First, someone physically near you may look over your shoulder and read your password, or look at your keyboard and note your key strokes. Second, someone connected to the network might try to intercept your password information as you log in using network programs that monitor the local Wi-Fi hot spot.
Perhaps most importantly, passwords are only as strong and secure as equal to the amount of effort used to maintain them. You may find that many people use common password tropes, such as "password," "1234," or "pass" as passwords for sites they use. Furthermore, many will use the same password for multiple sites, meaning that if one site is compromised, then any other site that uses that password is also compromised. Also, you'll find that many users don't change from default passwords, such as passwords defined by software manufacturers only meant to function temporarily. If someone knows the manufacturer's default password for a product, he's liable to try those passwords first.
- ZDNet: Brute Force Attacks: Beyond Password Basics
- The Linux Documentation Project: CHAP Versus PAP
- UNC Charlotte Department of Software and Information Systems: Security Analysis of a Password-Based Authentication Protocol Proposed to IEEE 1363
- Windows Security: Protect Against Weak Authentication Protocols and Passwords