A digital password is a sequence of random characters used to limit access to a digital device and/or software by requiring a user to show authorization via the secret password. Oral passwords predate electronic technology and were used by the ancient Romans. The first digital passwords of the modern era came from researchers at the Massachusetts Institute of Technology in the mid-1960s with the creation of their compatible time-sharing system computer. The proliferation of digital devices and systems using passwords has led to increases in fraud and theft through password phishing and hacking. In response, government and private industry have worked to create digital password solutions to circumvent hackers and prevent them from invading users’ privacy or conducting data surveillance, while easing the pressure on users to create, conceal, and recall numerous unique passwords. This entry describes the various forms and systems of authentication, including digital password; reveals the vulnerabilities in digital password systems; reflects on some prominent corporate theft of digital passwords; and concludes with suggestions for how users and administrators can combat password hacking.
A digital password is an unspaced sequence of random computer characters (i.e., numbers, letters, and symbols) that is created to limit access to a digital device and/or software application by requiring a user to show authentication via the secret password. Digital passwords are a form of what is called authentication. Different authentication types include something a digital user knows (e.g., a password or one’s unique signature), something a digital user has (e.g., a physical token or a one-time password), or something a digital user is (e.g., fingerprints, voiceprints, and other biometrics). Digital security experts have criticized digital systems that rely on single-factor authentication, such as requiring only one digital password before providing a user with access to a resource. Digital passwords are considered to be effective digital security measures when they are required in conjunction with other levels of authentication.
In 2012, it was estimated that an average person has more than eight digital passwords, and this has posed a challenge for users to create passwords that are secure and easy to remember. Different organizations have posed solutions that offer a single sign-on for different online services. For example, the nonprofit InCommon, founded in 2005, provides services to 8 million end users as of 2014 and is used in many universities and colleges. Critics noted the cost of InCommon software, the challenges of working on incompatible platforms, and how a single sign-on server going down can also take down supported applications. In 2011, the U.S. government unveiled a $56.3 million plan to create an identity ecosystem in which a smart card or a token would create a single one-time digital password to eliminate password reuse and increase online anonymity.
The theft of mobile devices has left many digital users vulnerable, as their device contains unsecured passwords that security experts say should be kept in secured, encrypted, and cloud-based password managers or digital wallets. Recent estimates place the number of smartphones that are not password protected at more than 30%. Digital passwords are often stolen using several common techniques. A front-door attack is a hacker repeatedly trying to guess the password, whereas a backdoor attack is when a hacker can access a device’s password manager’s database. In addition, a transmission attack happens when data are intercepted when broadcast (e.g., syncing data, Wi-Fi).
Password hackers have attacked major companies such as ADP, Anthem Inc., Ebay, Google, Facebook, Sony Pictures, Twitter, Last.fm, LinkedIn (6.5 million passwords stolen in June 2012), and Yahoo. Hackers in some high-profile cases such as these are suspected to have used backdoor attacks via malware keylogging software, which captures administrator-typed passwords to gain access to consumer information databases. When the hackers of Sony Pictures released the studio’s films and executives’ private emails in late 2014, the press reported that the hackers had found a file directory on company computers named “Passwords” during a backdoor attack, which contained thousands of passwords. Smaller password hacks can be attributed to user actions. For example, some digital users whose passwords were hacked had used passwords that were easily guessed by a front-door attack hacker, including “password,” “123456,” and “admin,” and/or had used these passwords for multiple websites. Experts estimate that one in 10 four-digit personal identification numbers are “1234.”
See also Anonymous ; Bioinformatics ; Cloud Computing ; Identity Theft
Crosman, Penny. “Westpac Aims to Be First to Unlock Mobile Apps With Fingerprints.” American Banker, v.178 (2014).
Francis, Julianne. “U.S. Unveils Plan to Shield Online Marketplace; More Security; US$56M Will Be Spent to Combat Fraud and Theft.” National Post (April 16, 2011).
Harris, John. “Achieving a Comprehensive Information Security Strategy Using Certificate-Based Network Authentication.” Database & Network Journal, v.43 (2013).
McMillan, Robert. “The World’s First Computer Password? It Was Useless Too” (January 27, 2012). http://www.wired.com/2012/01/computer-password (Accessed February 2015).
Nimocks, Amber. “Commentary: If ‘Password’ Is Your Password, You’re Toast.” North Carolina Lawyers Weekly (December 13, 2013). http://nclawyersweekly.com/2013/12/13/if-password-is-your-password-youre-toast/ (Accessed September 2017).
Pfeiffer, David. “Shutting Access to Passwords.” SC Magazine: For IT Security Professionals, v.23 (2012).
Savage, Marcia. “Linkedln and Leaked Out.” Information Security, v.14 (2012).