A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in conjuncture with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website. Passwords can vary in length and can contain letters, numbers and special characters. Other terms that can be used interchangeably are passphrase for when the password uses more than one word, and passcode and passkey for when the password uses only numbers instead of a mix of characters, such as a personal identification number.
Creating a secure password
Many organizations set password policies so employees create strong passwords and use best practices for their login credentials. Some of the best practices for password requirements include:
- A minimum length of eight characters with a limit of anywhere from 16 to 64 characters or possibly even higher;
- The inclusion of both uppercase and lowercase letters with case sensitivity;
- The use of at least one number; and
- The use of at least one special character.
Policies should prohibit certain characteristics in weak passwords. For instance, any recognizable personal information -- such as birthdates, names of children, or favorite sports teams -- should not be part of a password, as well as any words or phrases that are on a password blacklist.
Password blacklists are lists of passwords that are too easily cracked and thus are not secure enough to use. Common offenders that wind up on blacklists include "123456," "password," "football," "qwerty" and so on.
Strong password policies also include a time limit for user passwords. This means that passwords will expire after a set period of time -- such as 90 or 180 days -- and users will be forced to change their password to prevent the reuse of the same couple of passwords. The policy may also require the user to create a password that is different from any other they have used in the last six to 12 months.
While strong passwords are ideal, users often forget them. As a result, password recovery methods might vary depending upon access to an application, website or device. Methods might include answering security questions, confirming emails asking if users want to reset their passwords, or entering numerical security codes sent via text to a mobile phone to authenticate users who need to reset passwords or recover the original one.
History of password usage
The use of passwords in computing dates back to 1961 when the Massachusetts Institute of Technology introduced the Compatible Time-Sharing System or CTSS. The CTSS was one of the first time-sharing operating systems and had a LOGIN command that required a user password.
In the 1970's Robert Morris, the cryptographer who famously created the Robert Morris worm, built a system for storing hashed passwords as a part of UNIX operating systems. This early form of encryption translated passwords into numeric values.
Since then, the password as a security measure has been on decline. In 2004, Microsoft co-founder Bill Gates declared that the password was dead at several technology conferences including RSA Security in February 2004 and IT Forum in Copenhagen, Denmark later that year.
Today, many enterprises are looking to reduce their reliance on passwords and/or completely eliminate them; organizations such as the FIDO Alliance have developed technology standards that replace conventional passwords with alternative authentication techniques.
There are many authentication options available today so that users do not have to rely on passwords that can be easily cracked or compromised.
These options include:
- Two-factor authentication (2FA) -- 2FA requires users to provide two authentication factors that include a combination of something the user knows -- like a password or PIN; something the user has -- like an ID card, security token or smartphone; or something the user is -- biometrics.
- Biometrics -- Biometric technology is mainly used for identification and access control. Biometrics includes physiological characteristics such as fingerprints or retinal scans, and behavioral characteristics such as typing patterns and voice recognition.
- Multifactor authentication (MFA) -- MFA is similar to 2FA except that it is not limited to only two authentication factors. It also uses something the user knows, something the user has and something the user is.
- Tokens -- A security token is a physical hardware device like a smart card or key fob that a user carries to authorize access to a network.
- One-time passwords (OTP) -- An OTP is an automatically generated password that only authenticates a user for a single transaction or session. These passwords change for every use and are typically stored on security tokens.
- Social logins -- A social login in when users can authenticate themselves on applications or websites by connecting to their social media account such as Facebook or Google instead of using a separate login for each and every site.