the computer your password is the way that you prove to the computer
that you are you. In classical security parlance, your password
is what the computer uses to
(two words that have a lot of significance
to security gurus, but generally mean the same thing that they do
to ordinary people).
When you log in, you tell the computer who you are by typing
your username at the login prompt. You then type your password (in
response to the password prompt) to prove that you are who you claim
to be. For example:
As we mentioned above,
does not display
your password when you type it.
password that you supply with your username corresponds to the one
logs you in and gives you full
access to all of your files, commands, and devices. If either the
password or the username does not match,
does not log you in.
On some versions of
if somebody tries to log into your account and supplies an invalid
password several times in succession, your account will be locked.
A locked account can be unlocked only by the system administrator.
Locking has two functions:
It protects the system from someone
who persists in trying to guess a password; before they can guess
the correct password, the account is shut down.
It notifies you that someone has been trying to
break into your account.
If you find yourself locked out of your account, you should
contact your system administrator and get your password changed
to something new. Don't change your password back to what
it was before you were locked out.
The automatic lockout feature can prevent unauthorized
use, but it can also be used to conduct
denial of service attacks,
or by an attacker to lock selected users out of the system so as
to prevent discovery of his actions. A practical joker can use it
to annoy fellow employees or students. And you can lock yourself
out if you try to log in too many times before you've had
your morning coffee. In our experience, indefinite automatic lockouts
aren't particularly helpful. A much better method is to
employ an increasing delay mechanism in the login. After a fixed
number of unsuccessful logins, an increasing delay can be inserted
between each successive prompt. Implementing such delays in a network
environment requires maintaining a record of failed login attempts,
so that the delay cannot be circumvented by an attacker who merely
disconnects from the target machine and reconnects.
can be configured for increased delays at successive login prompts
by editing the
variable in the file
also supports automatic locking of terminals with automatic reenablement
after some time with the logindisable and loginreenable attributes
in the same file.
system gives the user 10 chances to log in, with an increasing delay
after each attempt. This achieves essentially the same goal as a
lockout (preventing someone from trying lots of passwords within
a short amount of time), but it limits
denial of service
attacks as well.