Password security: a case history

  title={Password security: a case history},
  author={Robert H. Morris and Ken Thompson},
  journal={Commun. ACM},
This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use. 
End User Security
This paper details security risks, compromises, and options available to the average computer user. It includes specific discussions of encryption and password security. Analysis of a survey of
On improvements to password security
A technique to allow long password-phrases that makes an exhaustive search impracticable is presented, and a solution to eavesdropping problems using public-key cryptography is proposed.
Passblot: A Usable Way of Authentication Scheme to Generate One Time Passwords
One of the promising alternatives is Graphical password based authentication systems which if implemented properly are secure but not as easy to understand or learn.
Passwords and the evolution of imperfect authentication
Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.
Proactive Password Checking
Generic requirements for proactive password changer are presented and two of the most popular, publicly-available programs are examined to see how well they meet the requirements.
An Assessment of the Oracle Password Hashing Algorithm
The algorithm used for generating password hashes is reviewed, and it is shown that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value.
A remote password authentication scheme based on the digital signature method
  • M. Hwang
  • Computer Science
    Int. J. Comput. Math.
  • 1999
A remote password authentication scheme based on the digital signature methods is proposed that does not require the system to maintain a password file, and it can withstand attacks based on message replaying.
Password Authentication Without Using a Password Table
  • G. Horng
  • Computer Science
    Inf. Process. Lett.
  • 1995
Proofs of Security for the Unix Password Hashing Algorithm
The results show that the hashing algorithm is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for confidence in the Unix construction.


The UNIX Time-sharing System
The strong and weak points of UNIX are discussed and a good case can be made that it is in essence a modern implementation of MIT’s CTSS system.
Communications November ACM Number
  • Communications November ACM Number
  • 1979
The UNIX T ime-Sharing System.Comm
  • 1974
U. S. Patent Number
  • U. S. Patent Number
Proposed Federal Information Processing Data Encryption Standard
  • Federal Register (40FR12134)
  • 1975
Proposed Federal Information Processing Data Encryption Standard. Federal Register (40FR12134)