Changes

Security+ - Authentication and Identity Verification

1 byte removed, 19:31, 3 March 2008
Username and Password
The weakest form of username and password authentication uses ''plain text'' communication where both credentials are transmitted to the server in an unencrypted format allowing anyone eavesdropping on the connection using ''sniffing'' technology to easily identify the user name and password and subsequently use them to gain unauthorized system access. Remote access technology such as ''telnet'' use plain text when presenting authentication credentials. For this reason alone the use of telnet for providing remote access to systems has been largely discontinued in favor of encrypted alternatives.
Technologies such as ''Secure Shell'' (ssh) still use a username and password with the exception that the username and password are encrypted (as is all data transmitted after authentication has taken place"), making it harder for the eavesdropper to intercept and utilize these credentials.
Even with encryption, the username and password approach to authentication has a number of inherent weaknesses. Firstly, it identifies only the account and does nothing to verify that the person accessing the account is an authorized user. As such, the username and password can fall into the wrong hands (it is amazing how many people have their username and password written on a piece of paper stuck to their monitor) and the authentication will have no way of knowing the wrong person is logging in.