The Internet is having an identity crisis. Long regarded as a powerful tool for cost reduction and service enhancement, the Internet is falling short of its promise because of the real and perceived threat of identity theft. Financial losses and insurance costs are mounting, as organizations struggle to protect their information perimeters and improve the strength of their authentication systems to ensure that the authorized user is present during the sign-in process. The widespread use and misuse of passwords as authentication tokens is generally cited as a cause of the accelerating erosion of user confidence and the increasing incidence of identity theft. It is generally agreed that passwords are not enough. Much has been lost, however, in the race toward person-present authentication systems. While the application of passwords is fraught with risk, the introduction of complex authentication infrastructures and cumbersome end user technology has eroded usability and increased the cost of security dramatically. This paper describes a new authentication approach that retains the simplicity and low cost of passwords, while gracefully introducing as much person-present assurance as is required by the application.
characters per word
a possible password 5-10 characters long, composed of letters and numbers, the majority of people choose short, simple passwords that they can remember easily. And who can blame them? The problem is that modern computers can guess, or crack such passwords very easily. Short, simple, readable passwords are memorable but useless. Problem 2: Constancy in Password Selection Using the same password for long periods of time or on multiple systems increases the risk of that password being compromised. Most