Protecting password codes from unauthorized access

Means of delimitation and access control work only when the actual values of the password code are not available to unauthorized persons.

Circumstances in which a password may be compromised

To avoid compromising password codes, they also need to be protected from unauthorized access. Password compromise can occur under the following circumstances:

  • accidentally displaying or printing passwords in the presence of unauthorized persons;
  • analysis of information residues in storage devices during the prevention and repair of technical means of a complex of information processing automation tools;
  • hardware failures leading to the inability to erase classified information;
  • availability of access to passwords by technical maintenance personnel;
  • direct theft of password code carriers;
  • emergency situations that make it impossible to control access to information and its processing facilities;
  • intentionally reading passwords when accessing through the network and using special software.

In this regard, we list the main precautions recommended for protecting password codes:

  • passwords should never be stored explicitly in the information system; they should always be encrypted;
  • passwords should not be printed (displayed) explicitly on the user terminal (except for the terminal of the operator of the information security service, which should be in an isolated room). In systems where the characteristics of the terminals do not allow this, the password is printed on a mask that closes its value;
  • the longer the same password is used, the greater the likelihood of its disclosure. Therefore, it must be changed as often as possible and according to a random law;
  • the system should never generate a new password at the end of the communication session, even in encrypted form, as this will allow the intruder to easily use it.

To close the password codes, you can use the methods of irreversible encryption or the more complex method of “irreversible random assembly”, when passwords are converted into an encrypted password using a special polynomial. In this case, there is no scheme for returning to the original password. When entering a password, the system converts it according to this law during the registration process and checks the result with the previously converted password stored in the system.

However, when choosing this method, you should protect yourself from its possible bypass by sorting the password values. First of all, mismatch control is mandatory, which consists in the fact that when the number of mismatches, for example, is more than three, an alarm signal should be generated and blocking the appeal indicating the time and place of the event. In critical cases, it is also recommended to introduce a time delay for the output of the result of the match, the entered and stored passwords in order to increase the expected time for password disclosure.

There is another way to protect passwords that use the gamming (overlay) method if there are at least two (excluding backup) structurally separated memory areas in a computer (complex of information processing automation tools).

Any password protection system remains valid only if the security service has to control access to the protection program both by standard means of the complex of information processing automation equipment and by outsiders. Password protection is also necessary, as in the first case.

To increase the degree of protection of password codes in a computer, you can apply the pseudo-random number generator method at the program level, which allows you to get a group of numbers from one number that can be used as closing codes.

It should be noted that thanks to the progress in electronic technology, the development and cheapening of large integrated circuits, and the implementation of not only processors, but also controllers and memory circuits, the described operations are greatly simplified.

Other password protection methods are possible. The choice of cryptographic method for a particular system must be verified by cryptography specialists.

The most effective password protection against unauthorized interception is considered to be its separation into two parts: one for storage by the user, and the second for storage on a special medium. In this case, if the password medium is lost or stolen, the user will have time to report this to the information security service, and this service will have time to change the password.