Introduction to Password Authentication
Passwords are the most common form of authentication, is a string of alphabets, special characters, numbers, which is supposed to be known only to the authentic person that is being authenticated. Behind password authentication, there are great myths. People believe that the use of a password is the simplest and least expensive authentication mechanism, as it does not require any special hardware or software support. This is quite the wrong perception. In this article, we are going to see the mechanism implemented for the password in detail.
Password Authentication Mechanism
In This Section, We Are Going to Discuss Two Main Mechanisms that Are Used for Password Authentication.
1. Clear Text Password
A clear-text password is the simplest password-based mechanism. in this mechanism, the user id and password are assigned to the user. for securing purposes, the user changes the password periodically. the password is stored in the database against the user ID in clear text format.
This password authentication works as follows:
Step 1: Prompt for user ID and password
During the authentication process, the first application prompt a screen for user ID and password.
Step 2: User enters user ID and password
When the application prompt the screen, the user enters his/her user ID and password and press the OK or sign in button. after clicking OK, both user ID and password travel to the server in clear text format
Step 3: User ID and password validation
In this step, the server checks the user database to see if this particular user ID and password exist or not. this validation is done by the user authenticator program. these programs check the entered user ID and password against the stored user database, and based on the success or failure; it returns a result.
Step 4: Authentication Result
In this step, the user authenticator program returns a result to a server based on the success and failure of the validation process of user ID and password.
Step 5: Inform User Accordingly
Based on the results, the server sends the result to the user. if the authentication results are correct, then the server sends a menu of options to the user, which contains various actions for users to perform. if the authentication results fail, then the server sends an error screen to the user.
There Are Two Major Problems in This Password Authentication Mechanism:
The database contains a password in clear text format: user database contains the user ID and password in clear text format, so if somehow attacker gets access to this user database, an attacker will get the kist of all user ids and passwords. to avoid this, it is advisable to store the user ID and password in an encrypted format
Password travel in clear text from users’ computer to server computer: if we store the user ID and password in an encrypted format, the first problem can solve. but what if an attacker gets access to this information while traveling from a users computer to a server computer, a user ID and password travels in clear text format. attackers can easily get access to the password.
Something Derived from a password. to overcome from clear text password mechanism, this mechanism comes into the picture where an algorithm is run on the password and store the output of this algorithm as a password in the database. i.e. when a user enters a password, the users own computer run the algorithm on the password and sends the derived password to the server.
This mechanism works as follows.
A Message Digest of Passwords
- Rather than storing the password in unclear text format, calculate the message digest of the password and then store it in the user database.
- Perform user authentication where the user’s computer calculates the message digest of password and sends both user ID and password to the server for authentication.
- The server passes these values to the user authenticator program to validate the user ID and message digest of the password against the database. the program returns appropriate results back to the server. then the server returns the results to the user.
To improve security to the previous scheme, we need to add randomness.
- Calculate the message digest of password and store in the user database as derived password
- A user sends a login request to the server with user ID only.
- When the server receives a login request, it first checks whether the user ID is valid or not. if not, it sends an error screen, and if the user ID is valid, then it creates the random challenge and sends it back to the user.
- The application displays the password entry screen for the user. when the user enters the password, the application runs a program to calculate the message digest of the password. these messages digest is used to encrypt the random challenge which is received from the server in step 3.
- When the server receives the encrypted random challenge from the user, it validates the random challenge to ensure that it comes from the right user. this validation can be done in two ways. the first way is the server tries to decrypt the random challenge with the message digest of the user’s password and then compare it with the original random challenge. if it matches, it ensures that it comes from the right user. the second way is the server encrypts the original random challenge with the message digest of users’ passwords and compares it with the user encrypted random challenge. if it matches, it ensures that it comes from the right user.
- Based on the previous action, i.e. success or failure, the server sends the appropriate action to the user.
This is a guide to Password Authentication. Here we also discuss the introduction and how it helps to validate the user’s identity along with its mechanisms. You may also have a look at the following articles to learn more –