Identification describes the unequivocal connection of a digital identity with an entity such as a natural person, system or process. Without secure identification, there can be no reliable authentication. A process in at least two stages is used for this, consisting of personalization and identification. This gives you a digital identity that is linked to information such as the authentication mechanism. Authentication is usually possible through knowledge such as a password, possession, for example a hardware token, or a personal property, also called biometrics. Daniel Miessler explains on his blog how good which authentication mechanisms are. Password does poorly here.
But what is a password anyway? A password is a string of characters, for which letters, numbers and special characters can usually be used. One of the simplest methods is a shared password, also known as a shared secret. This allows several people to access a service with the same data. More common for home users are personal passwords that only the person should know. There are also so-called one-time passwords, which are often used in online banking. These can only be used once.
According to the state of the art, the passwords have not been stored in plain text by the service provider for a long time. Instead, a cryptographic hash is calculated from the password. If the user wants to authenticate himself, the hash is calculated again for the entered password and compared with the stored value. The advantage of the cryptographic hash is that the password cannot be recalculated from it in a realistic time – at least if current methods are used. However, there are tables or databases, so-called rainbow tables, which display known passwords and their hashes. To make it more difficult to look up, a random value, the so-called salt, is added. Sometimes Pepper is also used. Now, if an attacker gets hold of the hashed password, he can still use brute force, i.e. systematically trying out all possibilities, in order to guess the password. It is therefore important to choose a password that is as secure as possible.
A secure password has a high entropy, i.e. different types of characters (upper and lower case letters, numbers, special characters). In practice, the main focus is often on the length of the password. The minimum length of a password often depends on the purpose. But what is difficult about passwords besides brute force? For a password to be secure, it has to remain secret and not easy to guess. It is no longer a secret if, for example, it gets into the wrong hands through a successful phishing attack. You also have to trust the operator’s security measures. Humans tend to be lazy. Passwords mean that many users use the same password for many services or only vary it slightly. An attacker who steals one of these passwords can use it to log into many services.