Skip to 0 minutes and 12 secondsLet's say you get a phone call from your boss. She says that she wants you to do something that's potentially going to cost the company a lot of money. She might give you good reasons for wanting to take the risk and it might sound like her, but how do you know, for sure that is not a competing company trying to cause you to take action to hurt you and benefit them? In this scenario it's not the security of the phone line that we're concerned about. We can assume it's a secure line or we can buy fancy equipment prevent to eavesdropping. Instead, we worry that we are receiving messages from an adversary.
Skip to 0 minutes and 43 secondsCaller ID will tell you which telephone is calling you. Maybe it matches the line in your boss's office but does that mean it's her? What if someone snuck into use her phone? Maybe you could ask her something only she would know. How's your dog? Can you remember where we had last years company picnic? Or what present did I give you last year, shortly before asking for a promotion? But someone who did their homework might know these things. Instead maybe you should have a prearranged secret word. 'Swordfish', for example. So that you know it's her, you ask her to say the secret word.
Skip to 1 minute and 15 secondsIf she knows it you're pretty sure it's the right person, if not you can call security to get up to the boss's office and apprehend the interloper. This is the basic idea of a password, and it's been used throughout recorded history. The Greek historian Polybius describes another ancient Use of passwords. According to Polybius, the Roman army would distribute a nightly watch word so they could identify their own soldiers at checkpoints and gates even in the dark. An official, called a tribune, would decide a nightly watchword and inscribe in onto a series of wooden tablets along with unique markings.
Skip to 1 minute and 51 secondsOne person from each of subdivision of the army would collect a tablet and take it to their leader who would read it and pass it on. The last person to read the password would be responsible for returning it. If the tribune finds a tablet missing they know by the markings in which quarter the tablet was lost. Passwords are ubiquitous in modern life. We use them any time there's a need to check that a remote person is who they say there are, either through the web or over the phone.
Skip to 2 minutes and 15 secondsBut while technology has given more requirements for passwords than ever before, it has also given attackers the tools to break those passwords and so the way they used and stored has been evolving along with the tools and techniques of the attackers. In Polybius's tale we saw a way to minimise the risk of an attacker stealing a password without it being discovered, before they could use it. But today we must also think about eavesdroppers, people who might steal lists of passwords and attackers who might try every password they can think of, until they get it right.
How do I trust you?
If you receive a message from your boss, how do you know it’s really them? Almost every way of checking the source of a message (from email to SMS) could potentially be spoofed, so is there a way to use some shared secret to prove it?
Read the story of the first computer password and the first computer password theft.
There are a few items worth discussing here:
If the system did use ‘knowledge based authentication’ instead of a password, wouldn’t it make that knowledge a password anyway? That is, if you had the password ‘swordfish’, is it really that different from choosing your mother’s maiden name? Is there a security difference between choosing a password that has no meaning and being asked for facts about yourself?
What does the theft of the password file tell us? Does it highlight any issues with storing collected passwords?