Changes

Security+ - Authentication and Identity Verification

93 bytes added, 20:02, 11 February 2008
Username and Password
== Username and Password ==
Perhaps the most rudimentary and least secure level of authentication involves the use of a username and password to access a system. This approach simply involves presenting a user with prompts for a username and password, which if entered corrected correctly will permit access to the system. For many year years this was the primary source method of authentication control.
The weakest from form of username and password authentication uses ''plain text'' communication where both credentials are transmitted to the server in an unencrypted format allowing anyone eavesdropping on the connection using ''sniffing'' technology to easily identify the user name and password and subsequently use them to gain unauthorized system access. Technology Remote access technology such as ''telnet'' use plain text when presenting authentication credentials. For this reason alone the use of telnet for providing remote access to systems has been largely discontinued in favor of encrypted alternatives.
Technologies such as ''Secure Shell'' (ssh) still use a username and password with the exception that the username and password are encrypted(as is all data transmitted after authentication has taken place"), making it harder for the eavesdropper to intercept and utilize these credentials.
Even with encryption, the username and password approach to authentication has a number of inherent weaknessweaknesses. Firstly, it identifies only and the account and does nothing to verify that the person accessing the account is an authorized user. As such, the username and password can fall into the wrong hands (it is amazing how many people have their username and password written on a piece of paper stuck to their monitor) and the authentication will have no waying way of knowing the wrong person is logging in.
Secondly, username and password security is only as secure as the choice of password. If a weak password is chosen it increases the chance that the password may be guessed, or cracked using automated passowrd password cracking technology. This problem is generally mitigated through the implementation of strict rules on passwords where users are prevented from setting up weak passwords. Password cracking may also be easily prevented by disabling an account after a specified number of invalid password entriesattempts.
== Challenge Handshake Authentication Protocol (CHAP) ==