GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT)
2. Introduction to Passwords and Password Management
A password is a secret (typically a character string) that a claimant uses to authenticate its identity. Using
a password with a user identifier, such as a username, is one form of identification and authentication.
1
Identification is a claimant presenting an identifier that indicates a user identity for the system.
Authentication is the process of establishing confidence in the validity of a claimant’s presented identifier,
usually as a prerequisite for granting access to resources in an information system.
Authentication can involve something the user knows (e.g., a password), something the user has (e.g., a
smart card), or something the user “is” (e.g., a fingerprint or voice pattern). Single-factor authentication
uses only one of the three forms of authentication, while two-factor authentication uses any two of the
three forms and three-factor authentication uses all three forms. Using additional factors makes it more
difficult for someone to gain unauthorized access to the system. For instance, it is easier to either discover
a user’s password or steal the user’s smart card than it is to both steal the smart card and also discover the
user’s password. To meet various security and operational needs, the selection of authentication methods
varies among systems, but passwords are the most commonly used authentication method, and are often
used both by themselves and with other authentication factors.
2
Passwords are used in many ways to protect data, systems, and networks. For example, passwords are
used to authenticate users of operating systems, applications (e.g., email, labor recording), hardware, and
remote access solutions. Passwords are also used to protect files and other stored information, such as
password-protecting a single compressed file, a cryptographic key, or an encrypted hard drive. In
addition, passwords are often used in less visible ways; for example, a biometric device may generate a
password based on a fingerprint scan, and that password is then used for authentication.
There are different forms of passwords. One is known as a personal identification number (PIN). A PIN
is relatively short (usually 4 to 6 characters) and consists of only digits. Examples of PINs are “7352” and
“832290”. They take less time to enter than other types of passwords, so they are often used when a
longer, more complex password might create human safety problems, such as in a fire suppression system
or air traffic control tower console. (In these environments, it is assumed that there are physical security
controls in place that compensate for the relatively low security provided by the PIN.) PINs are also used
for alarm systems, automated teller machines (ATM), security token devices, and other devices that have
small keypads. PINs are rarely used as the only form of authentication for IT system access. Throughout
the rest of this document, PINs will be considered out of scope in references to the term “password”
unless explicitly mentioned.
Another specialized form of password is known as a passphrase. This is a relatively long password
consisting of a series of words, such as a phrase or a full sentence. An example of a passphrase is
“Iamdefinitelyyour#1fan”. The motivation for passphrases is that they can be longer than single-word
passwords but easier to remember than a sequence of arbitrary letters, digits, and special characters, such
as “72*^dSd!” or “C8ke2.e3:”. However, a simple passphrase such as “iloverocknroll” is predictable and
therefore easier for an attacker to guess than “9j%a#F.0”, so a passphrase’s length alone does not make it
stronger than other passwords. Throughout the rest of this publication, the term “password” includes both
regular passwords and passphrases unless otherwise noted.
1
In some cases, passwords are used without a user identifier. This is most common in situations with low-security needs, such
as entering a numeric code into an office copying machine. This publication assumes that a password is associated with a
user identifier unless specifically noted otherwise.
2
Additional information on the selection of appropriate authentication methods and on two-factor and three-factor
authentication is available from NIST Special Publication (SP) 800-63 Revision 1, Electronic Authentication Guideline
(Draft), at http://csrc.nist.gov/publications/PubsSPs.html.
2-1