Skip to content
Elvis Chidera

Password Security: A Case History — Paper Summary

summary, paper, security1 min read

Authors: Robert Morris and Ken Thompson

Date: 1978

Link: PDF

  1. This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system.
  2. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.
  3. The password system must be able to:
    • Prevent any access to the system by unauthorized users
    • Prevent users who are already logged in from doing things that they are not authorized to do.
  4. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.
  5. The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason, the password file had to be heavily protected against being either read or written. The technique is excessively vulnerable to lapses in security.
  6. Encrypting passwords was the obvious first solution to the system.
  7. However, given most humans are prone to use simple passwords, an attacker can use brute force (key search) to determine the actual (unencrypted) passwords.
  8. Improvements to the First Approach:
    • Slower Encryption
    • Less predictable password requirement
    • Salted passwords
  9. Whenever any security procedure is set up to deny access to unauthorized persons, it is wise to keep a record of both successful and unsuccessful attempts to get to the secured resource.
© 2024 by Elvis Chidera. All rights reserved.