Passwords (weak authentication)
Conventional password schemes involve time-invariant passwords, which provide so-called weak authentication. The basic idea is as follows. A password, associated with each user (entity), is typically a string of 6 to 10 or more characters the user is capable of committing to memory. This serves as a shared secret between the user and system. (Conventional password schemes thus fall under the category of symmetric-key techniques providing unilateral authentication.) To gain access to a system resource (e.g., computer account, printer, or software application), the user enters a (userid, password) pair, and explicitly or implicitly specifies a resource; here userid is a claim of identity, and password is the evidence supporting the claim. The system checks that the password matches corresponding data it holds for that userid, and that the stated identity is authorized to access the resource. Demonstration of knowledge of this secret (by revealing the password itself) is accepted by the system as corroboration of the entity’s identity.
Various password schemes are distinguished by the means by which information allowing password verification is stored within the system, and the method of verification. The collection of ideas presented in the following sections motivate the design decisions made in typical password schemes. A subsequent section summarizes the standard attacks these designs counteract. Threats which must be guarded agamst include: password disclosure (outside of the system) and line eavesdropping (within the system), both of which allow subsequent replay; and password guessing, including dictionary attacks.
Fixed password schemes: techniques
(i) Stored password files
The most obvious approach is for the system to store user passwords cleartext hi a system password file, which is both read- and write-protected (e.g., via operating system access control privileges). Upon password entry by a user, the system compares the entered password to the password file entry for the corresponding userid; employing no secret keys or cryptographic primitives such as encryption, this is classified as a non-cryptographic technique. A drawback of this method is that it provides no protection against privileged insiders or superusers (special userids which have full access privileges to system files and resources). Storage of the password file on backup media is also a security concern, since the file contains cleartext passwords.
(ii) “Encrypted” password files
Rather than storing a cleartext user password hi a (read- and write-protected) password file, a one-way function of each user password is stored in place of the password itself (see Figure 10.1). To verify a user-entered password, the system computes the one-way function of the entered password, and compares this to the stored entry for the stated userid. To preclude attacks suggested in the preceding paragraph, the password file need now only be write-protected.
10.3 Remark (one-way function vs. encryption) For the purpose of protecting password files, the use of a one-way function is generally preferable to reversible encryption; reasons include those related to export restrictions, and the need for keying material. However, in both cases, for historical reasons, the resulting values are typically referred to as “enciypted” passwords. Protecting passwords by either method before transmission over public communications lines addresses the threat of compromise of the password itself, but alone does not preclude disclosure or replay of the transmission (cf. Protocol 10.6). 
Figure 10.1: Use of one-way Junction for password-checking.
Another procedural technique intended to improve password security is password aging. A time period is defined limiting the lifetime of each particular password (e.g., 30 or 90 days). This requires that passwords be changed periodically.
(iv) Slowing down the password mapping
To slow down attacks which involve testing a large number of trial passwords (see § 10.2.2), the password verification function (e.g., one-way function) may be made more computationally intensive, for example, by iterating a simpler function t > 1 times, with the output of iteration i used as the input for iteration i + 1. The total number of iterations must be restricted so as not to impose a noticeable or unreasonable delay for legitimate users. Also, the iterated function should be such that the iterated mapping does not result in a final range space whose entropy is significantly decimated.
(v) Salting passwords
To make dictionary attacks less effective, each password, upon initial entry, may be augmented with a f-bit random string called a salt (it alters the “flavor” of the password; cf. §10.2.3) before applying the one-way function. Both the hashed password and the salt are recorded in the password file. When the user subsequently enters a password, the system looks up the salt, and applies the one-way function to the entered password, as altered or augmented by the salt. The difficulty of exhaustive search on any particular user’s password is unchanged by salting (since the salt is given in cleartext in the password file); however, salting increases the complexity of a dictionary attack against a large set of passwords simultaneously, by requiring the dictionary to contain 2' variations of each trial password, implying a larger memory requirement for storing an encrypted dictionary, and correspondingly more time for its preparation. Note that with salting, two users who choose the same password have different entries in the system password file. In some systems, it may be appropriate to use an entity’s userid itself as salt.
To allow greater entropy without stepping beyond the memory capacity of human users, passwords may be extended to passphrases; in this case, the user types in a phrase or sentence rather than a short “word”. The passphrase is hashed down to a fixed-size value, which plays the same role as a password; here, it is important that the passphrase is not simply trailcated by the system, as passwords are in some systems. The idea is that users can remember phrases easier than random character sequences. If passwords resemble English text, then since each character contains only about 1.5 bits of entropy (Fact 7.67), a passphrase provides greater security through increased entropy than a short password. One drawback is the additional typing requirement.
-  Password rules Since dictionary attacks (see §10.2.2(iii)) are successful agamst predictable passwords,some systems impose “password rules” to discourage or prevent users from using “weak”passwords. Typical password rules include a lower bound on the password length (e.g., 8 or12 characters); a requirement for each password to contain at least one character from eachof a set of categories (e.g., uppercase, numeric, non-alphanumeric); or checks that candidate passwords are not found hi on-line or available dictionaries, and are not composed ofaccount-related information such as userids or substrings thereof. Knowing which rules are in effect, an adversary may use a modified dictionary attackstrategy taking into account the rales, and targeting the weakest form of passwords whichnonetheless satisfy the rales. The objective of password rales is to increase the entropy(rather than just the length) of user passwords beyond the reach of dictionary and exhaustive search attacks. Entropy here refers to the uncertainty in a password (cf. §2.2.1); if allpasswords are equally probable, then the entropy is maximal and equals the base-2 logarithm of the number of possible passwords.