Académique Documents
Professionnel Documents
Culture Documents
Understanding Passwords
Belden Menkus CISA, CSP, CCP, CRM
To cite this article: Belden Menkus CISA, CSP, CCP, CRM (1996) Understanding Passwords,
EDPACS, 23:8, 10-14, DOI: 10.1080/07366989609451703
To link to this article: http://dx.doi.org/10.1080/07366989609451703
Article views: 7
E D P A C S
FEBRUARY 1996
UNDERSTANDING
PASSWORDS
BELDEN MENKUS
Passwords are the most frequently used mechanisms for authenticating the identity of a system user. However, using a password is not the only suitable authentication means. At least two
other approaches merit consideration that employ some form of
biometries or some type of token. (Two new product offerings
in these categories will be discussedin the next issue of EDPACS.)
10
FEBRUARY 1996
BASIC ASSUMPTIONS
The basic assumptions in authenticating the purported identity
of a potential information processing application user have not
changed materially since 1985. That was when the Department
of Defense issued its highly influential Password Management
Guideline. The computer system access claim authentication
process is based on something that the individual whose identity is being verified knows, possesses, is, or does:
Those in the first two categories each involve the use of a
surrogate. (This is something that substitutes for direct contact between the individual and the authentication mechanism.) This surrogate can be a distinctive password o r
passphrase, a magnetic stripe encoded card, o r a special
ring or keychain fob.
0 Those in the second two categories involve the individual
directly in the authentication process. These are the measurement of some physical characteristic of the person o r
of some action that this individual performs. This can be
the shape of ones face o r the pattern of the iris of one of
the individuals eyes. This also might be the way in which
one speaks some crucial words.
Two authentication mechanisms that could be demonstrated
in theory to verify an individuals identity with suitable confidence have proved to be unacceptable in practice:
0Authentication was based on measuring the way in which a
user signs his or her name. This recognition and verification
process is based on assumptions about the consistency with
which one might write ones signature; however, individuals
are not always consistent in performing this function.
0Authentication was based on the uniqueness of a users lip
print. It became obvious early in the tests of this technique
that most people objected to touching their lips to the metal
plate that engaged in the recognition process.
E D P A C s
THEORETICALLY A
PASSWORD MAY BE
OF ANY LENGTH,
FROM A SINGLE
CHARACTER TO AS
LONG A CHARACTER
STRING AS THE
OPERATING SYSTEM
WILL ALLOW.
HANDLING PASSWORDS
Three aspects to making effective use of passwords (or
passphrases) exist:
0 The way in which they are constructed.
0The manner in which they are safeguarded,
0 The frequency with which they are changed.
Passwords Construction
Individual passwords should be distinctive and should not be
deduced easily by a potential intruder who is attempting to
break into the system. This precludes the use of such identifiers as individual employee social security numbers, costcenter accounting identification codes, o r nicknames. This also
precludes the use as passwords of such identifiers as common
nouns or the names of favorite sports figures, music performers,
o r entertainers. To avoid the problems that may be associated
with these practices it is preferable to avoid having the password defined by its potential user. Rather, the password should
11
E D P A C S
THE NUMEER OF
PASSWORD
POSSlBI LIT1ES I S
DETERMINED EY A
COMSINATION OF
THE
CHARACTER
FEBRUARY 1996
FEBRUARY 1996
E D P A C S
IT SHOULD NOT B E
POSSIELE FOR A
USER T O PRINT A
PASSWORD OUT
THROUGH THE
SYSTEM OR TO
RELAY IT TO
SOMEONE ELSE
THROUGH THE
COMMUNICATION
NETWORK.
E D P A C S
FEBRUARY 1996
CHANGING A PASSWORD
To make things more difficult for a prospective intruder, individual passwords should be changed periodically. Ideally, this
should be required for all system users four to six times a
year. Whatever change-frequency has been established, it may
be incrased if the number of unauthorized access attempts
exceeds whatever threshold has been established. H
Downloaded by [112.133.232.13] at 07:03 16 March 2016
THE FUTURE OF
ELECTRONIC C A S H
ALFRED JULIAN
Electronic cash can be expected in the near future to affect
significantly information systems control and audit. This communication-based method of transporting and dispersing funds
already is in limited testing. It is anticipated that electronic
cash will be an everyday reality worldwide by early in the
next decade. It is envisioned that cyberfunds will emerge from
the anticipated spread of s m a r t card commercial funds transactions. Both the nature of this concept and the way in which
it functions can be expected to be modified significantly over
the next several years. The concurrent use of these electronic
funds along with more conventional funds transfer mechanisms may continue for some time.