The Problem with Passwords

Passwords have been the primary means of authentication on computer systems since the earliest mainframes, but they have always been vulnerable to human factors. These failings, compounded by the rapid ramp-up of computer processing power, the rapidly growing number of systems and applications requiring password authentication, and the additional vulnerabilities posed by the Internet, are rapidly making compromised passwords a major security risk.

Technical Factors

Breaking the cryptographic algorithms used by shared-secret authentication protocols, such as Kerberos, is computationally unfeasible even using tremendous amounts of computing power. However, this fact depends on large secret keys randomly distributed across the key’s address space. The 128-bit RC4 encryption algorithm used in North American versions of Windows 2000 Kerberos can use 2¹²⁸, or 3.4 x 10³⁸ unique keys. Users cannot remember or even use an RC4 key directly; instead, a hashing function takes their variable-length password and generates a fixed-length RC4 key from it. A hashing function does not randomize the output; the same input fed into a particular hashing algorithm will always generate the same hash value.