The National Institute of Standards and Technology (NIST) issued a draft of Special Publication 800-118 entitled “Guide to Enterprise Password Management” that I have been using to help our corporate IT folks formulate standard password policy. The guide is a comprehensive look at the subject and I highly recommend that anyone involved in establishing enterprise-level password policy give it a read.
If you have ever read any of the NIST security-related publications – or any other government publications – you know that their standards dictate a define-your-terms approach to everything. This got me to thinking that over the years, I have used much password-related terminology in my various posts, many of which I have never defined. The guide contains a listing of the terms used in the report along with their definitions. I found this enlightening and I think you will too.
Authentication: The process of establishing confidence in the validity of a claimant’s presented identifier, usually as a prerequisite for granting access to resources in an information system.
Brute Force Attack: A form of guessing attack in which the attacker uses all possible combinations of characters from a given character set and for passwords up to a given length.
Capturing: The act of an attacker acquiring a password from storage, transmission, or user knowledge and behavior.
Claimant: An entity that has presented an identity but has not been authenticated.
Cracking: The process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of those hashes.
Dictionary Attack: A form of guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive.
Guessing: The act of repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords.
Hybrid Attack: A form of guessing attack in which the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.
Identification: A claimant presenting an identifier that indicates a user identity for a system.
Keyspace: The total number of possible values that a key, such as a password, can have.
Keystroke Logger: A form of malware that monitors a keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker.
Passphrase: A relatively long password consisting of a series of words, such as a phrase or full sentence.
Password: A secret, typically a character string, that a claimant uses to authenticate its identity.
Password Expiration: The process of forcing a user to select a new password after a certain amount of time.
Password History: The retention of one or more previous passwords or password hashes for comparison against new passwords or password hashes.
Password Management: The process of defining, implementing, and maintaining password policies throughout an enterprise.
Password Management Software Utility: A local utility that allows a user to store usernames, passwords, and other small pieces of sensitive information, such as account numbers.
B-1 GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT) B-2
Password Recovery: The process of a user regaining access to a password that the user has forgotten.
Password Reset: The process of a user having a new password set for a user account.
Password Synchronization: A technology that takes a password from the user and changes the passwords on other resources to be the same as that password, so that the user can use the same password when authenticating to each resource.
Personal Identification Number (PIN): A password that is relatively short (usually 4 to 6 characters) and consists of only digits.
Rainbow Table: A lookup table that contains pre-computed password hashes, often used during cracking.
Reduced Sign-On: A technology that allows a user to authenticate once and then access many, but not all, of the resources that the user is authorized to use.
Salting: The inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash.
Single Sign-On: A technology that allows a user to authenticate once and then access all the resources that the user is authorized to use.
Stretching: The act of hashing each password and its salt thousands of times, which makes the creation of rainbow tables more time-consuming.