Identification

It is the start of most access controls. You claim that you are a unique identity.

Examples: Username, swiping a smartcard, fingerprint scanner, face scanner, etc.

A subjects identity is usually considered public information. IT systems only track your unique ID.

Authentication

Is used to verify that you are indeed the unique identity you are claiming. Most commonly used authentication is a password.

Authentication information is private information and needs to be protected.

The user (subject) authenticates himself and the system (object) authenticates and authorizes him.

Passwords

Risks associated with passwords:

• Users often choose easy to remember passwords, which leads to them being easily guess or crackable
• Users share or forget their passwords
• Hard to remember passwords are often written down, which is a security risk

Storage

Password often are and need to be stored as a hash. When a user authenticates their typed in password gets hashed as well and will then be compared.

Creating strong passwords

You need many different letters, capitalized and uncapitalized, numbers and characters. It also has to be sufficiently long.

• Use random capitalization
• Use numbers and special characters

What not to use: