Different Types of Passwords
Chassidic1
Member Posts: 37 ■■□□□□□□□□
in SSCP
B"H
OK JD, time for the "questions of the day"...so I am learning about the different types of passwords and trying to get a good hold on them and where each makes the most sense. It seems the 4 options are: static, pass phrase, dynamic, one-time.
So, I know a pass phrase is often easier to remember than a word (standard static?). Dynamic is less guessable than either. One-time can't be guessed at all...but, what is the point of static? just that it is maybe easier to create due to its shortness?
Also, Conrad says that dynamic, in the case of RSA tokens, are expensive. But, can't there be some other "dynamic" type of password that is not expensive?
Say that a Windows Server has a policy that forces me to change my password every week. My current understanding is that I am using a stat password which is being rotated weekly, and maybe can't be re-used for some period of time, etc....but it is static not dynamic since the nature of the password itself is to remain the same. Is that right?
And, so, back to dynamic...is there some other "dynamic" password besides tokens? Maybe something cheap or free? Also, do dynamic passwords ever get re-used? Like, do those digits on the tokens ever come back in the same order, even infrequently?
I assumed that "dynamic" passwords are more secure compared to static passwords because: their changing nature makes them harder to guess. They have no set pattern you can use to "crack" them. Is that the case?
If so, maybe static and pass phrase are both unchanging word(s) which can be "cracked"; dynamic passwords are used less frequently but ultimately maybe have some pattern...and one-time is never used more than once, so, it is always unique and cannot be "cracked". ....??
Also, it seems to me like a password can be used for both authentication - proving your identity claim, in this case, by something you know; and for confidentiality. In the latter case I have in mind a zipped file someone sent me that was "password protected." He gave me the password by phone; I was then able to use that password to disclose the contents of the data in that zipped file to myself. Someone without the password would have the data kept confidential from them. Does that sounds right...?
Thanks again,
Dovid
PS. I re-read this section this morning here en route to work...I am not confused. I am not sure how "dynamic", esp. in the example of an RSA token password, is not also "one-time". It seems like those passwords, and my gmail "2-factor" digits emailed to me via SMS are also "one-time". ??
OK JD, time for the "questions of the day"...so I am learning about the different types of passwords and trying to get a good hold on them and where each makes the most sense. It seems the 4 options are: static, pass phrase, dynamic, one-time.
So, I know a pass phrase is often easier to remember than a word (standard static?). Dynamic is less guessable than either. One-time can't be guessed at all...but, what is the point of static? just that it is maybe easier to create due to its shortness?
Also, Conrad says that dynamic, in the case of RSA tokens, are expensive. But, can't there be some other "dynamic" type of password that is not expensive?
Say that a Windows Server has a policy that forces me to change my password every week. My current understanding is that I am using a stat password which is being rotated weekly, and maybe can't be re-used for some period of time, etc....but it is static not dynamic since the nature of the password itself is to remain the same. Is that right?
And, so, back to dynamic...is there some other "dynamic" password besides tokens? Maybe something cheap or free? Also, do dynamic passwords ever get re-used? Like, do those digits on the tokens ever come back in the same order, even infrequently?
I assumed that "dynamic" passwords are more secure compared to static passwords because: their changing nature makes them harder to guess. They have no set pattern you can use to "crack" them. Is that the case?
If so, maybe static and pass phrase are both unchanging word(s) which can be "cracked"; dynamic passwords are used less frequently but ultimately maybe have some pattern...and one-time is never used more than once, so, it is always unique and cannot be "cracked". ....??
Also, it seems to me like a password can be used for both authentication - proving your identity claim, in this case, by something you know; and for confidentiality. In the latter case I have in mind a zipped file someone sent me that was "password protected." He gave me the password by phone; I was then able to use that password to disclose the contents of the data in that zipped file to myself. Someone without the password would have the data kept confidential from them. Does that sounds right...?
Thanks again,
Dovid
PS. I re-read this section this morning here en route to work...I am not confused. I am not sure how "dynamic", esp. in the example of an RSA token password, is not also "one-time". It seems like those passwords, and my gmail "2-factor" digits emailed to me via SMS are also "one-time". ??
Comments
A password (and user name) is used for authentication. A secret key is used for confidentiality (via encryption). I wouldn't call a secret key a password, although both unlock a door that gets you access to a resource.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Best Regards,
Dovid