If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

## Computers and the Internet

### Unit 4: Lesson 7

User authentication methods

AP.CSP:
IOC‑2.B (LO)
,
IOC‑2.B.1 (EK)
,
IOC‑2.B.2 (EK)
A password is a form of authentication; a way of proving that yes, this is the user that owns this account.

Since so many user accounts are authenticated with a password, attackers are always looking for ways to uncover a user's password.
These are the most common ways:
• Guessing
• Brute-forcing, which is basically computer-assisted guessing at a much larger scale
• Stuffing, where attackers find the credentials for one service and try them on another service
• Malware, especially keyloggers
• Phishing scams
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.

• Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? An attacker will change it the same way!
• Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are 26, start superscript, 8, end superscript possible passwords that are 8 characters long and just made of lowercase letters, while there are 52, start superscript, 12, end superscript possible passwords that are 12 characters long and made up of both uppercase and lowercase letters. That's 208, comma, 827, comma, 064, comma, 576 versus a whopping 390, comma, 877, comma, 006, comma, 486, comma, 250, comma, 200, comma, 000 possibilities. A little bit of complexity goes a long way.
• Single-use, to avoid stuffing attacks. If an attacker manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like Iw2CR8a!!!pw. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶
Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like vivid-wrung-octopus-misapply.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put one of your actual passwords in those meters, but you can try out other password ideas and see how strong they are.

Even if you've come up with a super strong password, you still need to be careful when you're actually typing the password:
Only fill in passwords over a secured connection. It's easy for malicious onlookers to see passwords sent over a non-secured Internet connection (and non-secured is the default!).
When you're entering a password in the browser, look for the lock icon that indicates an HTTPS connection:
Screenshot of the Wikipedia login screen with filled out username and password fields. The URL has a lock to the left of it signifying an HTTPS connection, and an arrow points on that lock.
Watch out for shoulder surfers. If anyone is near you while you're typing your password, they might be trying to memorize what you're typing.

## Want to join the conversation?

• so if there is no https:// it isn't safe?
• Well if the webpage is served using HTTP then then browser will send a HTTP request to fetch the webpage.
If the webpage is served over HTTPS then your browser then the browser uses both HTTP and TLS - that is, it uses the Transport Layer Security (protocol) that makes communication secure.

Additionally, a website could be completely harmless if it is served over HTTP (not HTTPS) but it just isn't secure.
Also note that the browser will show your lock icon if it is safe (HTTPS).

The general rule of thumb is that if the webpage isn't secure, then it might not be safe, and thus you shouldn't enter any personal information (so you might not want to make an account unless you know more information about the website).

Hope this helps!
• So I did a little research on the initialism approach for passwords. Looks like those passwords do not generate enough entropy. Hackers can be effective in using dictionary attacks, especially if they know to create a dictionary composed of song lyrics and begin guessing the first letter of word within a phase.

• About the diceware, I think so too.
• cant you keep your phone safe with a lock app. its like more passwords
(1 vote)
• But a password manager will tell to anyone else using my divice, right? For example, if I use a password manager in my smart phone and I lost it and someone guessed it's password, that person can use my password manager to see all my passwords stored in the password manager.
(1 vote)