ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Password security: a case history
Full text PdfPdf (447 KB)
Source
Communications of the ACM archive
Volume 22 ,  Issue 11  (November 1979) table of contents
Pages: 594 - 597  
Year of Publication: 1979
ISSN:0001-0782
Authors
Robert Morris  Bell Labs., Murray Hill, NJ
Ken Thompson  Bell Labs., Murray Hill, NJ
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 44,   Downloads (12 Months): 364,   Citation Count: 63
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/359168.359172
What is a DOI?

ABSTRACT

This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Hagelin, B. Ciphering Machine (M-209), U.S. Patent No. 2,089,603, Aug. 10, 1937.
 
2
Proposed federal information processing data encryption standard. Federal Register (40FR12134), March 17, 1975.
3
Dennis M. Ritchie , Ken Thompson, The UNIX time-sharing system, Communications of the ACM, v.17 n.7, p.365-375, July 1974  [doi>10.1145/361011.361061]
 
4
M. V. Wilkes, Time Sharing Computer Systems, Elsevier Science Inc., New York, NY, 1975

CITED BY  63
Ray Bird , Inder Gopal , Amir Herzberg , Phil Janson , Shay Kutten , Refik Molva , Moti Yung, The KryptoKnight family of light-weight protocols for authentication and key distribution, IEEE/ACM Transactions on Networking (TON), v.3 n.1, p.31-41, Feb. 1995
Blake Ives , Kenneth R. Walsh , Helmut Schneider, The domino effect of password reuse, Communications of the ACM, v.47 n.4, p.75-78, April 2004
E. H. Spafford, Crisis and aftermath, Communications of the ACM, v.32 n.6, p.678-687, June 1989
Peter G. Neumann, Risks of passwords, Communications of the ACM, v.37 n.4, p.126, April 1994
T. Lomas , L. Gong , J. Saltzer , R. Needhamn, Reducing risks from poorly chosen keys, ACM SIGOPS Operating Systems Review, v.23 n.5, p.14-18, Dec. 3–6, 1989
Geng-Sheng Kuo , Jing-Pei Lin, New design concepts for an intelligent Internet, Communications of the ACM, v.41 n.11, p.93-98, Nov. 1998
Ari Juels , Martin Wattenberg, A fuzzy commitment scheme, Proceedings of the 6th ACM conference on Computer and communications security, p.28-36, November 01-04, 1999, Kent Ridge Digital Labs, Singapore
Dorothy E. Denning, The United States vs. Craig Neidorf: A debate on electronic publishing, Constitutional rights and hacking, Communications of the ACM, v.34 n.3, p.22-43, March 1991
Fabian Monrose , Michael K. Reiter , Susanne Wetzel, Password hardening based on keystroke dynamics, Proceedings of the 6th ACM conference on Computer and communications security, p.73-82, November 01-04, 1999, Kent Ridge Digital Labs, Singapore
Steven M. Bellovin , Michael Merritt, Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise, Proceedings of the 1st ACM conference on Computer and communications security, p.244-250, November 03-05, 1993, Fairfax, Virginia, United States
Secure password-based cipher suite for TLS, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.134-157, May 2001
Philip MacKenzie , Michael K. Reiter, Delegation of cryptographic servers for capture-resilient devices, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA
Katherine Fithen , Barbara Fraser, CERT incident response and the Internet, Communications of the ACM, v.37 n.8, p.108-113, Aug. 1994
Peter G. Neumann, Inside risks: insecurity about security?, Communications of the ACM, v.33 n.8, p.170-170, Aug. 1990
Edward G. Amoroso, A graduate course in computing security technology, ACM SIGCSE Bulletin, v.25 n.1, p.251-255, March 1993
Benny Pinkas , Tomas Sander, Securing passwords against dictionary attacks, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
M. Bishop, UNIX security in a supercomputing environment, Proceedings of the 1989 ACM/IEEE conference on Supercomputing, p.693-698, November 12-17, 1989, Reno, Nevada, United States
Daniel Guinier, Identification by biometrics, ACM SIGSAC Review, v.8 n.2, p.1-11, Summer 1990
Kamaljit Singh, On improvements to password security, ACM SIGOPS Operating Systems Review, v.19 n.1, p.53-60, January 1985
Lynn Grant, DES key crunching for safer cypher keys, ACM SIGSAC Review, v.5 n.3, p.9-16, Summer 1987
Philip MacKenzie , Michael K. Reiter, Delegation of cryptographic servers for capture-resilient devices, Distributed Computing, v.16 n.4, p.307-327, December 2003
J. Alex Halderman , Brent Waters , Edward W. Felten, A convenient method for securely managing passwords, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan
Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, Authentication using graphical passwords: effects of tolerance and image choice, Proceedings of the 2005 symposium on Usable privacy and security, p.1-12, July 06-08, 2005, Pittsburgh, Pennsylvania
Arvind Narayanan , Vitaly Shmatikov, Fast dictionary attacks on passwords using time-space tradeoff, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, PassPoints: design and longitudinal evaluation of a graphical password system, International Journal of Human-Computer Studies, v.63 n.1-2, p.102-127, July 2005
Stanley A. Kurzban, Easily remembered passphrases: a better approach, ACM SIGSAC Review, v.3 n.2-4, p.10-21, Fall/Winter 1985
Susan J. Chinburg , Ramesh Sharda , Mark Weiser, Establishing the business value of network security using analytical hierarchy process, Creating business value with information technology: challenges and solutions, Idea Group Publishing, Hershey, PA, 2003
Ing-Ray Chen , Sayed A. Banawan, Performance and Stability Analysis of Multilevel Data Structures with Deferred Reorganization, IEEE Transactions on Software Engineering, v.25 n.5, p.690-700, September 1999
Konstantin Knorr , Susanne Röhrig, Towards a secure web-based healthcare application, Knowledge media in healthcare: opportunities and challenges, Idea Group Publishing, Hershey, PA, 2002
Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Three-party encrypted key exchange: attacks and a solution, ACM SIGOPS Operating Systems Review, v.34 n.4, p.12-20, October 2000
Shirley Gaw , Edward W. Felten, Password management strategies for online accounts, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
Susan Wiedenbeck , Jim Waters , Leonardo Sobrado , Jean-Camille Birget, Design and evaluation of a shoulder-surfing resistant graphical password scheme, Proceedings of the working conference on Advanced visual interfaces, May 23-26, 2006, Venezia, Italy
Her-Tyan Yeh , Hung-Min Sun, Simple authenticated key agreement protocol resistant to password guessing attacks, ACM SIGOPS Operating Systems Review, v.36 n.4, p.14-22, October 2002
Cheng-Chi Lee , Li-Hua Li , Min-Shiang Hwang, A remote user authentication scheme using hash functions, ACM SIGOPS Operating Systems Review, v.36 n.4, p.23-29, October 2002
Giovanni Di Crescenzo , Munir Cochinwala , Hyong S. Shim, Modeling cryptographic properties of voice and voice-based entity authentication, Proceedings of the 2007 ACM workshop on Digital identity management, November 02-02, 2007, Fairfax, Virginia, USA
Dinei Florêncio , Cormac Herley , Baris Coskun, Do strong web passwords accomplish anything?, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-6, August 07, 2007, Boston, MA
Moshe Zviran , William J. Haga, Password security: an empirical study, Journal of Management Information Systems, v.15 n.4, p.161-185, March 1999
Saeed A. Rajput , Jihong Chen , Sam Hsu, State based authentication, Proceedings of the 43rd annual southeast regional conference, March 18-20, 2005, Kennesaw, Georgia
Ravi Sandhu , Kumar Ranganathan , Xinwen Zhang, Secure information sharing enabled by Trusted Computing and PEI models, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
Mark Keith , Benjamin Shao , Paul John Steinbart, The usability of passphrases for authentication: An empirical field study, International Journal of Human-Computer Studies, v.65 n.1, p.17-28, January, 2007
Rachna Dhamija , Adrian Perrig, Déjà Vu: a user study using images for authentication, Proceedings of the 9th conference on USENIX Security Symposium, p.4-4, August 14-17, 2000, Denver, Colorado
Kevin Fu , Emil Sit , Kendra Smith , Nick Feamster, Dos and don'ts of client authentication on the web, Proceedings of the 10th conference on USENIX Security Symposium, p.19-19, August 13-17, 2001, Washington, D.C.
Darren Davis , Fabian Monrose , Michael K. Reiter, On user choice in graphical password schemes, Proceedings of the 13th conference on USENIX Security Symposium, p.11-11, August 09-13, 2004, San Diego, CA
Ian Jermyn , Alain Mayer , Fabian Monrose , Michael K. Reiter , Aviel D. Rubin, The design and analysis of graphical passwords, Proceedings of the 8th conference on USENIX Security Symposium, p.1-1, August 23-26, 1999, Washington, D.C.
Jonathan S. Shapiro , John Vanderburgh, Access and Integrity Control in a Public-Access, High-Assurance Configuration Management System, Proceedings of the 11th USENIX Security Symposium, p.109-120, August 05-09, 2002
Aviel D. Rubin, Independent one-time passwords, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.15-15, June 05-07, 1995, Salt Lake City, Utah
Peter Honeyman , Andy Adamson , Kevin Coffman , Janani Janakiraman , Rob Jerdonek , Jim Rees, Secure videoconferencing, Proceedings of the 7th conference on USENIX Security Symposium, 1998, p.9-9, January 26-29, 1998, San Antonio, Texas
Niels Provos , David Mazières, A future-adaptive password scheme, Proceedings of the Annual Technical Conference on 1999 USENIX Annual Technical Conference, p.32-32, June 06-11, 1999, Monterey, California
Chee-Seng Chow , Amir Herzberg, Network randomization protocol: a proactive pseudo-random generator, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.6-6, June 05-07, 1995, Salt Lake City, Utah
Kevin Fu , Emil Sit , Kendra Smith , Nick Feamster, Dos and don'ts of client authentication on the web, Proceedings of the 10th conference on USENIX Security Symposium, p.19-19, August 13-17, 2001, Washington, D.C.
Dinei Florencio , Cormac Herley, A large-scale study of web password habits, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
Umut Topkara , Mikhail J. Atallah , Mercan Topkara, Passwords decay, words endure: secure and re-usable multiple password mnemonics, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea
Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Efficient and practical DHEKE protocols, ACM SIGOPS Operating Systems Review, v.35 n.1, p.41-47, January 1, 2001
Eugene H. Spafford, The internet worm program: an analysis, ACM SIGCOMM Computer Communication Review, v.19 n.1, p.17-57, Jan. 1989
Mohammad Mannan , P. C. van Oorschot, Digital objects as passwords, Proceedings of the 3rd conference on Hot topics in security, p.1-6, July 29, 2008, San Jose, CA
Roman V. Yampolskiy, Action-based user authentication, International Journal of Electronic Security and Digital Forensics, v.1 n.3, p.281-300, October 2008
Ahmet Emir Dirik , Nasir Memon , Jean-Camille Birget, Modeling user choice in the PassPoints graphical password scheme, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Harris E. Michail , George A. Panagiotakopoulos , Vasilis N. Thanasoulis , Athanasios P. Kakarountas , Costas E. Goutis, Server side hashing core exceeding 3 Gbps of throughput, International Journal of Security and Networks, v.2 n.3/4, p.228-238, April 2007
Tzung-Her Chen , Gwoboa Horng , Chuan-Sheng Yang, Public Key Authentication Schemes for Local Area Networks, Informatica, v.19 n.1, p.3-16, January 2008
Kaisen Lin , Philip Levis, Data Discovery and Dissemination with DIP, Proceedings of the 7th international conference on Information processing in sensor networks, p.433-444, April 22-24, 2008
Charles R. Young, A security policy for a profile-oriented operating system, Proceedings of the May 4-7, 1981, national computer conference, May 04-07, 1981, Chicago, Illinois
Iuon-Chang Lin , Chin-Chen Chang, A countable and time-bound password-based user authentication scheme for the applications of electronic commerce, Information Sciences: an International Journal, v.179 n.9, p.1269-1277, April, 2009
Katherine M. Everitt , Tanya Bragin , James Fogarty , Tadayoshi Kohno, A comprehensive study of frequency, interference, and training of multiple graphical passwords, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA

INDEX TERMS

Keywords:
computer security, operating systems, passwords

Collaborative Colleagues:
Robert Morris: colleagues
Ken Thompson: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player