But as long as passwords are chosen by human minds and stored in human brains, collisions will happen, and a username (or user ID or any similar discriminant value) will be needed.Įdit: as alludes to, if the passwords are not chosen by the user, but generated by the registration server, then the server can enforce uniqueness and avoid this problem. ![]() The entry of the username would not be necessary if password collisions did not happen (or would happen only with negligible probability). Alice has gained immediate access to Bob's account. But when Alice logs on again, she types her password, and is greeted with "Hello, Bob !". The server does not warn Bob about the collision, and replaces Alice's registration with Bob's registration. ![]() Bob has gained immediate access to Alice's account. When Bob actually connects, he has the surprise of being greeted with a banner stating "Hello, Alice !". The server does not warn Bob about the collision, but just ignores the registration. ![]() Bob then immediately learns that there is another user with the same password, and since the server does not require the username, just the password, Bob gains immediate access to Alice's account. The server warns Bob about the collision. The registration server then has three ways to handle this situation: Such collisions happen in practice indeed, even if users choose passwords with 30 bits of entropy (an already optimistic figure), it suffices to have 30 thousands or so users to have a good chance of triggering such a collision (this is called the Birthday Paradox). Out of (bad) luck, Bob elects to use password 'ILoveBillClinton' too. Now, a new user wants to register let's call him Bob. ![]() Let's imagine that user 'Alice' has registered, with password 'ILoveBillClinton'. Let a server which only requires a password for opening a session no username.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |