Passwords or passphrases have originated in military situations from ancient times onward. The Romans called them `watchwords,` and they were a way of traveling friendly units to verify that they were not spies or enemies.
One of the first uses of passwords in computing was at MIT's Compatible Time Sharing System. In order to login, users would identify themselves and then their password. Not long after the advent of the early Internet – an event which took place in 1969 between four computers – Robert Morris of Bell Labs developed a secure method of storing encrypted passwords in databases. In his white paper, he describes, even then, the drive for ease-of-use.
In the intervening years, cryptography has come a long way. The NSA and other organizations intimately dependent upon strong cryptography have developed new algorithms and have had ongoing contests for the cracking of these algorithms. You may be thinking, Why would they want the security broken? The answer isn't so much that they want the security broken, but they want to know whether or not it is currently possible to do so. In this way, they can develop stronger security by examining the methods used to break the previous versions.
A good historical example of this was when Distributed.net cracked RSA Labs' RC5-56 56-bit secret key. The cracking process took 1,757 days to complete using a distributed network of computers all over the world and at the end of 1997, the mission was successful. The award for this achievement was $10,000 – closer to $15,000 in today's money.
Cryptographers all over the world are continually trying to crack existing algorithms and develop more secure replacements. In the end, no algorithm will ever be perfect or `un-crackable,` but the energy and effort required to crack them will increase with each improvement. They are important to this discussion of password security because cryptography is used to store the passwords securely in a way that prevents attackers who gain access to databases from being able to use the data without having the private key – the key which allows one to decrypt anything in such a database.
In many cases, such a key doesn't exist in this sense. The user must instead create a new password if they have certain credentials, which will in turn be encrypted and stored in place of the previous one on the database. Two-factor authentication involving the server sending a text message to the user and verify a code has become a common way of setting new passwords.
Read original article
No comments:
Post a Comment