Editing Password (section)

===Password security architecture===

Common techniques used to improve the security of computer systems protected by a password include:
* Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•).
* Allowing passwords of adequate length. (Some [[legacy system|legacy]] operating systems, including early versions{{Which|date=September 2010}} of Unix and Windows, limited passwords to an 8 character maximum,<ref>Seltzer, Larry. (9 February 2010) [https://www.pcmag.com/article2/0,2817,2358985,00.asp "American Express: Strong Credit, Weak Passwords"] {{webarchive|url=https://web.archive.org/web/20170712160714/https://www.pcmag.com/article2/0,2817,2358985,00.asp |date=12 July 2017 }}. Pcmag.com. Retrieved on 2012-05-20.</ref><ref name="password_myths">
[https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=762c7cbd-bc00-44b1-8d35-cf42bc7fe2e9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments "Ten Windows Password Myths"] : "NT dialog boxes ... limited passwords to a maximum of 14 characters"
</ref><ref>[http://jira.codehaus.org/browse/REDBACK-87 "You must provide a password between 1 and 8 characters in length"]. Jira.codehaus.org. Retrieved on 20 May 2012. {{webarchive |url=https://web.archive.org/web/20150521153629/http://jira.codehaus.org/browse/REDBACK-87 |date=21 May 2015 }}</ref> reducing security.)
* Requiring users to re-enter their password after a period of inactivity (a semi log-off policy).
* Enforcing a [[password policy]] to increase [[password strength]] and security.
** Assigning randomly chosen passwords.
** Requiring minimum [[Password length parameter|password lengths]].<ref name="bugcharmer.blogspot.com"/>
** Some systems require characters from various character classes in a password—for example, "must have at least one uppercase and at least one lowercase letter". However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords.<ref>[http://world.std.com/~reinhold/dicewarefaq.html#capitalize "To Capitalize or Not to Capitalize?"] {{webarchive|url=https://web.archive.org/web/20090217200722/http://world.std.com/~reinhold/dicewarefaq.html |date=17 February 2009 }}. World.std.com. Retrieved on 20 May 2012.</ref>
** Employ a [[Blacklist (computing)#Usernames and passwords|password blacklist]] to block the use of weak, easily guessed passwords
** Providing an alternative to keyboard entry (e.g., spoken passwords, or [[biometrics|biometric]] identifiers).
** Requiring more than one authentication system, such as two-factor authentication (something a user has and something the user knows).
* Using encrypted tunnels or [[password-authenticated key agreement]] to prevent access to transmitted passwords via network attacks
* Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of [[denial-of-service attack|denial of service attack]].
* Introducing a delay between password submission attempts to slow down automated password guessing programs.

Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.