The first kind of security we all meet, a password is a means of [[authentication]]. Specifically, authenticating an [[identity]]. ## attacks How might an [[attacker]] get hold of a user's password? - they might intercept it - there are similarities here to the problems of sharing a [[symmetric|symmetric encryption]] key - they might try to guess it by [[brute force]], or by an intelligent search - they might try to get the user to give up the password - for example through, either as an active attack (spoofing, phishing) or by passive means, such as a [[keylogger]] - they might attack the [[operating system]] or device - they might also try [[social engineering]] another part of the wider system, such as a colleage ## defence - password guessing attacks are the most embarrassing reason to get [[pwned]], so we try our best to make passwords difficult to guess - the [[National Cyber Security Centre|NCSC]] recommends [three random words](https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0), which always makes the security gammons very mad - don't permit obvious passwords. Obviously. - [[Computer security]] recommends password expiry which, actually, [we don't any more](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#tip5-password-collection). - limiting logon attempts, which we actually love