Password security: A case history
Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594--597, 1979.
Reviews due for this or other paper Thursday, 4/26.
« Cellular Disco: resource management using virtual clusters on shared-memory multiprocessors | Main | Using Encryption for Authentication in Large Networks of Computers »
Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594--597, 1979.
Reviews due for this or other paper Thursday, 4/26.
Comments
Summary
The paper mainly discusses how the UNIX password security scheme on a remotely accessed time-sharing system evolved in order to counter the attempts to penetrate the system.
Problem Description
Remotely accessed time-sharing systems are susceptible to a lot of security attacks. The standards of security features implemented on such a system have evolved with time in order to cope with the immediate forms of the attacks, thus, making the system more secure.
Summary of Contributions
The paper mainly talks about the evolution of the security scheme on a remotely accessed time-sharing system. The first scheme the paper presents involves storing the user passwords� only in the encrypted form The reason is that if the passwords are stored as they are, if someone gets hold of the password file, he gets all the passwords. The only catch here is to find a method to encrypt the passwords which is quite difficult to invert. The major form of attacks, that the system suffered from, were exhaustive programs used to invert the passwords or to generate the password.
The paper also presents a brief study of the times taken to generate a password using the exhaustive password generation method. When the password length is more than 6 letters and all 128 ASCII characters can be used then 174 years are required to hack a password. Since time-sharing systems store a lot of password, the probability of generating a password using this scheme increases significantly. As a result, the authors suggest users to use unpredictable passwords. The paper also presents the idea of asking a user for another password if the password entered does not satisfy the security standards.
Flaws
The paper overlooks that fact that once a system can be remotely accessed; there are lots of ways other than exhaustively generating passwords to hack a system e.g. packets being sent to a system can be sniffed for usernames and passwords.
Relevance
Since the paper was written in 1979, I am submitting the relevance section for it.
Some of the ideas presented in the paper like asking the user to re-enter a password incase a password does not meet certain security standards are still used to force the users to create more secure passwords.
Posted by: Atif Hashmi | April 26, 2007 01:22 AM