Password Security and Attacks

Questions and Answers

What is the primary goal of computer security?

To identify individuals

To recognize individuals

To authenticate identities

To control access (correct)

What is the difference between identification and authentication?

Identification is private, while authentication is public

Identification confirms the identity, while authentication asserts it

Identification is public, while authentication is private

Identification asserts the identity, while authentication confirms it (correct)

What type of authenticator is based on a physical characteristic of the user?

Something the user knows

Something the user does

Something the user has

Something the user is (correct)

What is an example of something a user knows?

Password

Why should authentication be reliable?

Because it confirms the asserted identity

What is the purpose of authentication?

To confirm the asserted identity

What is an example of something you might use to identify yourself?

Bank account number

What is the relationship between identification and authentication?

Identification asserts the identity, and authentication confirms it

What type of personal information may a user derive their password from?

Their user ID or name

What is the primary goal of an exhaustive or brute force attack?

To try all possible passwords in an automated fashion

How many possible passwords are there in a system with 8-character passwords using only the letters A-Z?

26^8

What is the benefit of using characters other than just a-z in passwords?

It increases the number of possible characters

At what length does the combinatorial explosion of password guessing difficulty begin?

Length 4 or 5

Why do penetrators often try the easy cases first?

To save time and resources

What is the primary benefit of choosing long passwords?

It reduces the likelihood of password guessing

Why do users often use weak passwords?

They want to make their password easy to remember

What is a common method of authentication that involves something a user has?

Using an identity badge or physical key

What is the primary purpose of a password in user authentication?

To verify a user's identity

What is a disadvantage of using passwords for authentication?

They are inconvenient to use

What happens when a user discloses their password to an unauthorized individual?

The object becomes immediately accessible

What is a consequence of changing a password to re-protect an object?

Other legitimate users will need to be informed of the new password

What is a problem with revoking a user's access right to an object?

It requires changing the password, causing the same problems as disclosure

What is a potential problem with lost or forgotten passwords?

It may be impossible to retrieve a lost or forgotten password

What is an advantage of combining two or more forms of authentication?

It provides stronger authentication

What is a limitation of passwords as protection devices?

They contain a relatively small number of bits of information.

What is a common weakness in user-chosen passwords?

They are based on well-known strings or words.

What is a type of attack that can be used to infer a user's password?

Dictionary attack

What is a countermeasure against weak passwords?

Posting dictionaries of phrases and specialized lists to identify weak passwords

What type of software is available to scan a system for weak passwords?

COPS Crack and SATAN utilities

What is a type of password that is easily guessed by an attacker?

A password based on a well-known string

Why do administrators often need to assign a new password to a user?

Because the user loses or forgets their password.

What is the purpose of password recovery software?

To recover lost or forgotten passwords

What is necessary to achieve true security in authentication?

All of the above

Why might limiting users to certain workstations or times of access cause complications?

Because users might need to work overtime or access the system remotely

What is an advantage of limiting users to certain workstations or times of access?

Improved security

What is the goal of security analysts in recognition of normal activity?

To recognize normal, allowed activity

What is an example of using additional information to authenticate users?

Limiting access to specific workstations and times

Why might someone try to impersonate a user like Adams?

All of the above

What is the benefit of using techniques like limiting access to certain workstations or times?

Improved security

What is the trade-off of using techniques like limiting access to certain workstations or times?

Increased security for decreased convenience

Study Notes

Inferring Passwords Likely for a User

• A user may use a password derived from well-known personal information, such as:
  • The same as the user ID
  • Is, or is derived from, the user's name
  • A common word list (e.g., password, secret, private) plus common names and patterns (e.g., qwerty, aaaaaa)

Exhaustive Attack (Brute Force Attack)

• In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in an automated fashion.
• The number of possible passwords depends on the implementation of the particular computing system.
• For example, if passwords are words consisting of 26 characters (A-Z) and can be of any length from 1 to 8 characters, there are 26^1 + 26^2 + ... + 26^8 = 5 * 10^12 possible passwords.

Good Passwords

• To improve password security, use practices such as:
  • Using characters other than just a-z (e.g., digits, uppercase and lowercase letters)
  • Choosing long passwords, as the combinatorial explosion of password guessing difficulty begins around length 4 or 5

Authentication

• Human authentication involves recognition of someone's identity, often based on familiar characteristics (e.g., face, voice).
• Computer authentication involves controlled access, where someone is authorized to take some action on something.
• Authentication is the act of proving that asserted identity, that the person is who they say they are.

Identification versus Authentication

• Identities are often well-known, predictable, or guessable (e.g., user ID, name, bank account number, email address).
• Authentication should be reliable and private.
• Authentication mechanisms use any of three qualities to confirm a user's identity:
  • Something the user knows (e.g., passwords, PIN numbers, passphrases).
  • Something the user is (e.g., biometrics, such as a fingerprint, voice pattern, or face).
  • Something the user has (e.g., identity badges, physical keys, driver's license).

Authentication Based on Phrases and Facts

• User authentication and verification using passwords:
  • A user enters a piece of identification (e.g., name, user ID).
  • The system requests a password from the user.
  • If the password matches, the user is authenticated and allowed access.

Attacking and Protecting Passwords

• Passwords are limited as protection devices due to the relatively small number of bits of information they contain.
• People often pick passwords that do not take advantage of the available bits (e.g., choosing a well-known string, such as qwerty or password).
• Dictionary attacks can be used to infer user passwords.
• Countermeasures include:
  • Posting dictionaries of phrases and specialized lists to identify weak passwords.
  • Using utilities like COPS Crack and SATAN to scan a system for weak passwords.
  • Password recovery software.

Secure Authentication

• To achieve true security, consider the problem, tools, and possible attacks.
• Additional information can be used to authenticate users, such as:
  • Time of access (e.g., limiting access to specific hours or days).
  • Physical location (e.g., limiting access to specific workstations or offices).
• Limiting users to certain workstations or times of access can cause complications, but may provide added security.

Description

Learn about common password derivation methods and exhaustive attack techniques used to compromise password security.