Different Types of Passwords

Chassidic1Chassidic1 Member Posts: 37 ■■□□□□□□□□
B"H

OK JD, time for the "questions of the day"...so I am learning about the different types of passwords and trying to get a good hold on them and where each makes the most sense. It seems the 4 options are: static, pass phrase, dynamic, one-time.

So, I know a pass phrase is often easier to remember than a word (standard static?). Dynamic is less guessable than either. One-time can't be guessed at all...but, what is the point of static? just that it is maybe easier to create due to its shortness?

Also, Conrad says that dynamic, in the case of RSA tokens, are expensive. But, can't there be some other "dynamic" type of password that is not expensive?

Say that a Windows Server has a policy that forces me to change my password every week. My current understanding is that I am using a stat password which is being rotated weekly, and maybe can't be re-used for some period of time, etc....but it is static not dynamic since the nature of the password itself is to remain the same. Is that right?

And, so, back to dynamic...is there some other "dynamic" password besides tokens? Maybe something cheap or free? Also, do dynamic passwords ever get re-used? Like, do those digits on the tokens ever come back in the same order, even infrequently?

I assumed that "dynamic" passwords are more secure compared to static passwords because: their changing nature makes them harder to guess. They have no set pattern you can use to "crack" them. Is that the case?

If so, maybe static and pass phrase are both unchanging word(s) which can be "cracked"; dynamic passwords are used less frequently but ultimately maybe have some pattern...and one-time is never used more than once, so, it is always unique and cannot be "cracked". ....??

Also, it seems to me like a password can be used for both authentication - proving your identity claim, in this case, by something you know; and for confidentiality. In the latter case I have in mind a zipped file someone sent me that was "password protected." He gave me the password by phone; I was then able to use that password to disclose the contents of the data in that zipped file to myself. Someone without the password would have the data kept confidential from them. Does that sounds right...?

Thanks again,
Dovid

PS. I re-read this section this morning here en route to work...I am not confused. I am not sure how "dynamic", esp. in the example of an RSA token password, is not also "one-time". It seems like those passwords, and my gmail "2-factor" digits emailed to me via SMS are also "one-time". ??

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,664 Admin
    Hmmm...a one-time password (OTP) is a dynamic password. The idea is not that an OTP can't be guessed, but that capturing the authentication traffic won't allow a replay attack because the password will be different in the next authentication session. Periodic rotation of static passwords doesn't make them dynamic. Doesn't Conrad give examples of static and dynamic passwords his book?

    A password (and user name) is used for authentication. A secret key is used for confidentiality (via encryption). I wouldn't call a secret key a password, although both unlock a door that gets you access to a resource.
  • Chassidic1Chassidic1 Member Posts: 37 ■■□□□□□□□□
    JD, thanks again. If I recall correctly, Conrad gives the RSA token as a "dynamic password," and I do not recall him giving a OTP example. You seem to say both password types are equivalent; I have seen that thought expressed in online research hits too. I am not sure why Conrad counts them as separate. I like how the RSA token, besides having a dynamic component, also adds the use of a static component, and that their combination (what you have plus what you know) creates "strong authentication."

    Best Regards,
    Dovid
Sign In or Register to comment.