Information Technology Reference
In-Depth Information
requiring both an ATM card (what you have) as well as a keyed Personal
Identification Number or PIN (what you know) in order to manage funds
within the linked bank account.
What You Know
Identification of this type includes personal identification numbers, log-
on identifiers, and passwords. The log-on/password combination is per-
haps the most widely used identification system, because it can be easily
applied to many different environments and applications and is accessible
by any user interface able to generate keystroke responses. Even eye-blink-
readers and other forms of assistive technology can be used to provide
keystroke responses for log-on and password identification.
Because of its utility, the log-on/password combination is a popular
choice for identifying user and service accounts in many network enter-
prises. Because both factors fall within the “what you know” category of
identification, however, such solutions are subject to guessing and brute-
force attacks in which automated tools are used to test all possible com-
binations of characters sequentially. The relative “strength” of a log-on/
password combination is affected by several factors:
•
Length.
The minimum length of a password determines the mini-
mum number of tests that must be performed before all combina-
tions have been attempted. If only alphabetic characters are used
(A-Z), then a single-digit password would require only 27 tests to
check all possible combinations (a null or empty password being an
option unless prevented by security policies). A four-character non-
null alphabetic password would require over 450,000 tests, while
an eight-character password would require almost 410 billion tests.
With gigabit bandwidth, teraflop processing power, and distributed
attacks employing tens of thousands of attacking systems, even very
long passwords can only slow down the time required to gain unau-
thorized access.
•
Complexity.
Like length, the complexity of a password can also
improve its strength. By using uppercase (A-Z), lowercase (a-z),
numbers (0-9), and special characters (such as
, `, and !), each char-
acter within the password requires almost four times the number
of tests before all possible combinations have been tried. A complex
