Password Security and Hashing Techniques
34 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary purpose of adding salt to a password hash?

  • To create longer password hashes
  • To make dictionary attacks harder (correct)
  • To store the password more securely
  • To prevent password expiration
  • Which attack is not significantly mitigated by salting?

  • Online guessing attack
  • Brute-force attack
  • Dictionary attack
  • Chosen-victim attack (correct)
  • What is an example of a consequence when an attacker successfully guesses a password?

  • They may only guess incorrectly and be temporarily blocked
  • They must first obtain the salt from the user's file
  • They are automatically locked out after five incorrect guesses
  • They can access the user's data directly (correct)
  • How does salting impact the effectiveness of a dictionary attack?

    <p>It requires attackers to hash many combinations with salts</p> Signup and view all the answers

    Which of the following methods can help protect against automated password guessing?

    <p>Increasing password length</p> Signup and view all the answers

    What is a primary drawback of storing passwords in plaintext?

    <p>All users are compromised if the password file is hacked</p> Signup and view all the answers

    What is a key advantage of password hashing compared to encryption?

    <p>Hashing does not store the original password, enhancing security</p> Signup and view all the answers

    Which of the following attacks involves a hacker stealing a complete password file to perform their attack?

    <p>Offline dictionary attack</p> Signup and view all the answers

    Which of the following best describes a major vulnerability associated with password management?

    <p>Reusing passwords across multiple sites</p> Signup and view all the answers

    What does the process h(password) represent in password hashing?

    <p>The process of comparing hashes without revealing the plaintext</p> Signup and view all the answers

    What happens if a hacker gains access to a hashed password file?

    <p>The passwords remain secure due to one-way encryption</p> Signup and view all the answers

    What is a common method used by attackers in online brute-force attacks?

    <p>Using dictionaries of common passwords to guess</p> Signup and view all the answers

    Why is it difficult for attackers to crack passwords that are hashed?

    <p>Each hash is unique and cannot be predicted</p> Signup and view all the answers

    What is the primary purpose of a honeypot password?

    <p>To alert admins about ongoing attacks.</p> Signup and view all the answers

    What is a potential drawback of requiring frequent password changes?

    <p>It may lead to user frustration and insecure practices.</p> Signup and view all the answers

    Which technique is primarily used to manage password strength through restrictions?

    <p>Password Filtering</p> Signup and view all the answers

    How does an artificial delay function in login attempts?

    <p>It exponentially increases the wait time with each failed attempt.</p> Signup and view all the answers

    What is the benefit of a pronounceable password?

    <p>They help users remember complex combinations more easily.</p> Signup and view all the answers

    What is the ideal number of allowed failed logins to minimize inconvenience while blocking attackers?

    <p>3-4 attempts</p> Signup and view all the answers

    Which of the following is NOT a characteristic of a strong password?

    <p>Using only lowercase letters.</p> Signup and view all the answers

    Which of the following techniques is specifically focused on delaying potential attackers?

    <p>Artificial Delay</p> Signup and view all the answers

    What distinguishes biometric authentication from traditional methods?

    <p>It uses physical characteristics for verification.</p> Signup and view all the answers

    What challenge arises from biometrics despite their uniqueness?

    <p>Issues of false match and false non-match rates.</p> Signup and view all the answers

    In what type of application is it crucial to maintain a low false non-match rate?

    <p>Forensic applications</p> Signup and view all the answers

    What is the primary concern regarding session keys in remote user authentication?

    <p>Replay attacks and eavesdropping.</p> Signup and view all the answers

    What could be a potential risk of a successful replay attack?

    <p>Impersonation of another party.</p> Signup and view all the answers

    What is the primary purpose of educating users about their last login details?

    <p>To identify potential security breaches</p> Signup and view all the answers

    How does image authentication combat phishing attempts?

    <p>By displaying a unique image that only the user recognizes</p> Signup and view all the answers

    What is a primary benefit of using a One-Time Password (OTP) system?

    <p>It minimizes opportunities for attackers to steal passwords</p> Signup and view all the answers

    What is a significant drawback of using token authentication with memory cards?

    <p>They require a special reader for access</p> Signup and view all the answers

    Which component of a smartcard is crucial for executing authentication protocols?

    <p>Integrated processor</p> Signup and view all the answers

    What function does the antenna serve in an RFID card?

    <p>Modulating and demodulating signals</p> Signup and view all the answers

    What defines the capability of a device used for generating One-Time Passwords?

    <p>It uses a predetermined seed and current time</p> Signup and view all the answers

    Which of the following statements about token authentication is false?

    <p>Memory cards can process data securely</p> Signup and view all the answers

    Study Notes

    Password Storage

    • Storing passwords in plain text is insecure, as a hacker could compromise everyone if they obtain the password file.
    • Encrypted passwords solve this problem, but where to store the encryption key?
    • Hashing is a solution, using a one-way encryption function, making decryption impossible.

    Password Hashing

    • Instead of storing passwords in plain text, store hashes of the passwords.
    • This means that even if an attacker gains access to the file with hashed passwords, they cannot retrieve the passwords.
    • To verify a password, compare the hash of the entered password with the stored hash.

    Password Vulnerabilities

    • Offline dictionary attack: Attacker obtains the password file and tries to guess passwords by hashing dictionary words.
    • Specific account attack: Attacker specifically targets a certain account, using the target user's salt to hash dictionary words.
    • Popular password attack: Targeting common passwords, like "password".
    • Password guessing against a single user: Trying to guess a user's password by cycling through common combinations.
    • Workstation hijacking: Accessing a user's workstation to obtain the password file or use keylogging software.
    • Exploiting user mistakes: Deceiving users into revealing their passwords through phishing or social engineering.
    • Exploiting multiple password use: Attacker targets an account where a user uses the same password across multiple platforms.
    • Electronic monitoring: Using malware or other methods to monitor user activity and steal their login credentials.

    Password Attacks

    • Online brute-force attacks/ dictionary attacks: Attacker tries combinations of letters, numbers, and symbols, to guess correct passwords.
    • Offline attacks on the list of hashed passwords: Attacker uses a rainbow table to find the original password associated with a hash.
    • Password re-use across sites: Attacker targets accounts where a user uses the same password for multiple platforms.

    Salting

    • A salt is a random value added to a password before hashing.
    • This makes it harder for attackers to use pre-computed hash tables to crack passwords.
    • It makes dictionary attacks more difficult as the attacker must generate a hash for each possible salt value.

    Online Dictionary Attack Foiled

    • Salting makes it more difficult for attackers to launch successful online dictionary attacks.
    • Attackers have to try many combinations of passwords and potential salts.

    Password Attacks Countermeasures

    • Strong Passwords: Use complex passwords with a mix of characters, numbers, and symbols.
    • Limiting Login Attempts: Restrict the number of failed login attempts, locking the account after a certain threshold to prevent brute-force attacks.
    • Honeypots: Create a fake account with a simple password to attract attackers, allowing monitoring of their activities.
    • Filtering: Restrict password choices by disallowing weak or common passwords, enforcing password complexity requirements, and using regular expressions to define acceptable password formats.
    • Aging: Require users to change their passwords regularly, encouraging more secure password choices.
    • Pronounceable Passwords: Use non-dictionary words that are easy to remember and pronounce.
    • Artificial Delays: Introduce delays in login processing to prevent attackers from quickly trying multiple passwords.
    • Last Login: Notify users of the last login date, time, and location, to increase awareness and encourage them to report suspicious activity.
    • Image Authentication: Use images for second-factor authentication, preventing phishers from spoofing login pages.
    • One-Time Passwords (OTPs): Generate unique passwords valid for a single login session, mitigating the risk of password compromise.

    Token Authentication

    • Memory Card: Stores information but cannot process it. Used for physical access with a password/PIN for computer use. However, it requires a specific reader which is inconvenient.
    • Smartcard: Has a processor, memory, and I/O ports. Authenticates with a reader/computer using a secure protocol. Popular option due to its portability and ease of use.
    • RFID Card: Uses radio waves to communicate with a reader. Popular future option due to its wireless nature, convenience, and potential for increased security.

    Biometric Authentication

    • Static Characteristics: Fingerprint, hand geometry, facial characteristics, retinal and iris pattern.
    • Dynamic Characteristics: Voiceprint, signature.
    • Biometric authentication is considered more secure than password or token authentication because physical characteristics are unique to each person and difficult to replicate.

    Biometric Accuracy

    • Biometric systems are not perfect and can have false match or false non-match errors.
    • Receiver Operating Characteristic (ROC) curve: Used to evaluate the trade-off between false match and false non-match rates.
    • The threshold value used for authentication influences the balance between these two error rates.

    Remote User Authentication

    • Authentication over the network to secure a user's identity and exchange cryptographic session keys.
    • Primary security concerns:
      • Confidentiality: Protecting session keys from eavesdropping.
      • Timeliness: Preventing replay attacks by ensuring message authenticity and timeliness.

    Replay Attacks

    • An attacker intercepts a valid signed message and resends it later to impersonate the original sender.
    • Can disrupt operations by presenting parties with messages that appear genuine but are fraudulent.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    This quiz covers essential concepts of password storage, encryption, and vulnerabilities. It discusses the importance of hashing passwords instead of storing them in plain text and outlines various attacks that can compromise password security. Test your knowledge on how to protect sensitive information effectively.

    More Like This

    Windows Password Hashing and Security
    29 questions
    Password Hashing Techniques
    13 questions

    Password Hashing Techniques

    MagnanimousCloisonnism avatar
    MagnanimousCloisonnism
    Use Quizgecko on...
    Browser
    Browser