Password Security and Attacks
40 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary goal of computer security?

  • To identify individuals
  • To recognize individuals
  • To authenticate identities
  • To control access (correct)
  • What is the difference between identification and authentication?

  • Identification is private, while authentication is public
  • Identification confirms the identity, while authentication asserts it
  • Identification is public, while authentication is private
  • Identification asserts the identity, while authentication confirms it (correct)
  • What type of authenticator is based on a physical characteristic of the user?

  • Something the user knows
  • Something the user does
  • Something the user has
  • Something the user is (correct)
  • What is an example of something a user knows?

    <p>Password</p> Signup and view all the answers

    Why should authentication be reliable?

    <p>Because it confirms the asserted identity</p> Signup and view all the answers

    What is the purpose of authentication?

    <p>To confirm the asserted identity</p> Signup and view all the answers

    What is an example of something you might use to identify yourself?

    <p>Bank account number</p> Signup and view all the answers

    What is the relationship between identification and authentication?

    <p>Identification asserts the identity, and authentication confirms it</p> Signup and view all the answers

    What type of personal information may a user derive their password from?

    <p>Their user ID or name</p> Signup and view all the answers

    What is the primary goal of an exhaustive or brute force attack?

    <p>To try all possible passwords in an automated fashion</p> Signup and view all the answers

    How many possible passwords are there in a system with 8-character passwords using only the letters A-Z?

    <p>26^8</p> Signup and view all the answers

    What is the benefit of using characters other than just a-z in passwords?

    <p>It increases the number of possible characters</p> Signup and view all the answers

    At what length does the combinatorial explosion of password guessing difficulty begin?

    <p>Length 4 or 5</p> Signup and view all the answers

    Why do penetrators often try the easy cases first?

    <p>To save time and resources</p> Signup and view all the answers

    What is the primary benefit of choosing long passwords?

    <p>It reduces the likelihood of password guessing</p> Signup and view all the answers

    Why do users often use weak passwords?

    <p>They want to make their password easy to remember</p> Signup and view all the answers

    What is a common method of authentication that involves something a user has?

    <p>Using an identity badge or physical key</p> Signup and view all the answers

    What is the primary purpose of a password in user authentication?

    <p>To verify a user's identity</p> Signup and view all the answers

    What is a disadvantage of using passwords for authentication?

    <p>They are inconvenient to use</p> Signup and view all the answers

    What happens when a user discloses their password to an unauthorized individual?

    <p>The object becomes immediately accessible</p> Signup and view all the answers

    What is a consequence of changing a password to re-protect an object?

    <p>Other legitimate users will need to be informed of the new password</p> Signup and view all the answers

    What is a problem with revoking a user's access right to an object?

    <p>It requires changing the password, causing the same problems as disclosure</p> Signup and view all the answers

    What is a potential problem with lost or forgotten passwords?

    <p>It may be impossible to retrieve a lost or forgotten password</p> Signup and view all the answers

    What is an advantage of combining two or more forms of authentication?

    <p>It provides stronger authentication</p> Signup and view all the answers

    What is a limitation of passwords as protection devices?

    <p>They contain a relatively small number of bits of information.</p> Signup and view all the answers

    What is a common weakness in user-chosen passwords?

    <p>They are based on well-known strings or words.</p> Signup and view all the answers

    What is a type of attack that can be used to infer a user's password?

    <p>Dictionary attack</p> Signup and view all the answers

    What is a countermeasure against weak passwords?

    <p>Posting dictionaries of phrases and specialized lists to identify weak passwords</p> Signup and view all the answers

    What type of software is available to scan a system for weak passwords?

    <p>COPS Crack and SATAN utilities</p> Signup and view all the answers

    What is a type of password that is easily guessed by an attacker?

    <p>A password based on a well-known string</p> Signup and view all the answers

    Why do administrators often need to assign a new password to a user?

    <p>Because the user loses or forgets their password.</p> Signup and view all the answers

    What is the purpose of password recovery software?

    <p>To recover lost or forgotten passwords</p> Signup and view all the answers

    What is necessary to achieve true security in authentication?

    <p>All of the above</p> Signup and view all the answers

    Why might limiting users to certain workstations or times of access cause complications?

    <p>Because users might need to work overtime or access the system remotely</p> Signup and view all the answers

    What is an advantage of limiting users to certain workstations or times of access?

    <p>Improved security</p> Signup and view all the answers

    What is the goal of security analysts in recognition of normal activity?

    <p>To recognize normal, allowed activity</p> Signup and view all the answers

    What is an example of using additional information to authenticate users?

    <p>Limiting access to specific workstations and times</p> Signup and view all the answers

    Why might someone try to impersonate a user like Adams?

    <p>All of the above</p> Signup and view all the answers

    What is the benefit of using techniques like limiting access to certain workstations or times?

    <p>Improved security</p> Signup and view all the answers

    What is the trade-off of using techniques like limiting access to certain workstations or times?

    <p>Increased security for decreased convenience</p> Signup and view all the answers

    Study Notes

    Inferring Passwords Likely for a User

    • A user may use a password derived from well-known personal information, such as:
      • The same as the user ID
      • Is, or is derived from, the user's name
      • A common word list (e.g., password, secret, private) plus common names and patterns (e.g., qwerty, aaaaaa)

    Exhaustive Attack (Brute Force Attack)

    • In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in an automated fashion.
    • The number of possible passwords depends on the implementation of the particular computing system.
    • For example, if passwords are words consisting of 26 characters (A-Z) and can be of any length from 1 to 8 characters, there are 26^1 + 26^2 + ... + 26^8 = 5 * 10^12 possible passwords.

    Good Passwords

    • To improve password security, use practices such as:
      • Using characters other than just a-z (e.g., digits, uppercase and lowercase letters)
      • Choosing long passwords, as the combinatorial explosion of password guessing difficulty begins around length 4 or 5

    Authentication

    • Human authentication involves recognition of someone's identity, often based on familiar characteristics (e.g., face, voice).
    • Computer authentication involves controlled access, where someone is authorized to take some action on something.
    • Authentication is the act of proving that asserted identity, that the person is who they say they are.

    Identification versus Authentication

    • Identities are often well-known, predictable, or guessable (e.g., user ID, name, bank account number, email address).
    • Authentication should be reliable and private.
    • Authentication mechanisms use any of three qualities to confirm a user's identity:
      • Something the user knows (e.g., passwords, PIN numbers, passphrases).
      • Something the user is (e.g., biometrics, such as a fingerprint, voice pattern, or face).
      • Something the user has (e.g., identity badges, physical keys, driver's license).

    Authentication Based on Phrases and Facts

    • User authentication and verification using passwords:
      • A user enters a piece of identification (e.g., name, user ID).
      • The system requests a password from the user.
      • If the password matches, the user is authenticated and allowed access.

    Attacking and Protecting Passwords

    • Passwords are limited as protection devices due to the relatively small number of bits of information they contain.
    • People often pick passwords that do not take advantage of the available bits (e.g., choosing a well-known string, such as qwerty or password).
    • Dictionary attacks can be used to infer user passwords.
    • Countermeasures include:
      • Posting dictionaries of phrases and specialized lists to identify weak passwords.
      • Using utilities like COPS Crack and SATAN to scan a system for weak passwords.
      • Password recovery software.

    Secure Authentication

    • To achieve true security, consider the problem, tools, and possible attacks.
    • Additional information can be used to authenticate users, such as:
      • Time of access (e.g., limiting access to specific hours or days).
      • Physical location (e.g., limiting access to specific workstations or offices).
    • Limiting users to certain workstations or times of access can cause complications, but may provide added security.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    cs-lecture6-authentication.pdf

    Description

    Learn about common password derivation methods and exhaustive attack techniques used to compromise password security.

    More Like This

    Password Security Fundamentals
    6 questions
    Password Security Best Practices
    10 questions
    Password Security Best Practices
    5 questions
    Use Quizgecko on...
    Browser
    Browser