Podcast
Questions and Answers
What is the primary purpose of using a salt in a hash function?
What is the primary purpose of using a salt in a hash function?
What type of attack involves systematically trying all possible words or combinations from a pre-existing list?
What type of attack involves systematically trying all possible words or combinations from a pre-existing list?
How can an organization defend against rainbow table attacks?
How can an organization defend against rainbow table attacks?
What is the name of the open-source password cracker that uses a combination of brute-force and dictionary techniques?
What is the name of the open-source password cracker that uses a combination of brute-force and dictionary techniques?
Signup and view all the answers
What is the primary weakness that password crackers exploit?
What is the primary weakness that password crackers exploit?
Signup and view all the answers
What is the name of the hash function recommended for Unix systems?
What is the name of the hash function recommended for Unix systems?
Signup and view all the answers
What is the main reason why shorter password lengths are easier to crack?
What is the main reason why shorter password lengths are easier to crack?
Signup and view all the answers
What is the primary goal of a complex password policy?
What is the primary goal of a complex password policy?
Signup and view all the answers
What is the purpose of a shadow password file?
What is the purpose of a shadow password file?
Signup and view all the answers
What is the primary advantage of proactive password checking?
What is the primary advantage of proactive password checking?
Signup and view all the answers
What is the main advantage of using token-based authentication?
What is the main advantage of using token-based authentication?
Signup and view all the answers
What is the primary purpose of a bloom filter in password checking?
What is the primary purpose of a bloom filter in password checking?
Signup and view all the answers
Study Notes
Unix Password Hashing
- MD5-based hash function is recommended for Unix
- Salt of up to 48-bits is used to create a 128-bit hash
- Password length is unlimited
- 1000 iterations of an inner loop are used to achieve slowdown
Bcrypt Hash Algorithm
- Used by OpenBSD
- Based on Blowfish block cipher
- Uses 128-bit salt to create 192-bit hash value
- Most secure version of Unix hash/salt scheme
Password Attacks
- Dictionary attacks: use a large dictionary of possible passwords to try against the password file
- Rainbow table attacks: pre-compute tables of hash values for all salts
- Can be countered by using a sufficiently large salt value and a sufficiently large hash length
Password Crackers
- John the Ripper: open-source password cracker that uses a combination of brute-force and dictionary techniques
- Exploits the fact that people choose easily guessable passwords
Defending Against Password Attacks
- Use sufficiently large and unique salt values for each user's password
- Use complex password policies to force users to pick stronger passwords
Password Selection Strategies
- User education: inform users about the importance of using hard-to-guess passwords
- Computer-generated passwords: can be difficult for users to remember
- Reactive password checking: system periodically runs its own password cracker to find guessable passwords
- Complex password policy: system checks to ensure the password is allowable
Proactive Password Checking
- Rule enforcement: specific rules that passwords must adhere to
- Password checker: compile a large dictionary of passwords not to use
- Bloom filter: used to build a table based on hash values
Token-Based Authentication
- Card-based tokens: hardware tokens
- Two primary ways to authenticate using mobile phones: SMS messages and software apps
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
This quiz covers the security features of Unix password hashing, including hash functions, salt schemes, and protection against dictionary attacks.