Unix Password Hashing and Security

Questions and Answers

What is the primary purpose of using a salt in a hash function?

To make it more difficult for attackers to use precomputed tables

What type of attack involves systematically trying all possible words or combinations from a pre-existing list?

Dictionary attack

How can an organization defend against rainbow table attacks?

By using a sufficiently large salt value and a sufficiently large hash length

What is the name of the open-source password cracker that uses a combination of brute-force and dictionary techniques?

John the Ripper

What is the primary weakness that password crackers exploit?

Poorly chosen passwords

What is the name of the hash function recommended for Unix systems?

Bcrypt

What is the main reason why shorter password lengths are easier to crack?

Because they have fewer possible combinations

What is the primary goal of a complex password policy?

To eliminate guessable passwords while allowing users to select a memorable password

What is the purpose of a shadow password file?

To store encrypted passwords that can be accessed by privileged users only

What is the primary advantage of proactive password checking?

It reduces the risk of password guessing attacks

What is the main advantage of using token-based authentication?

It provides an additional layer of security for user authentication

What is the primary purpose of a bloom filter in password checking?

To build a table based on hash values to check desired passwords

Study Notes

Unix Password Hashing

• MD5-based hash function is recommended for Unix
• Salt of up to 48-bits is used to create a 128-bit hash
• Password length is unlimited
• 1000 iterations of an inner loop are used to achieve slowdown

Bcrypt Hash Algorithm

• Used by OpenBSD
• Based on Blowfish block cipher
• Uses 128-bit salt to create 192-bit hash value
• Most secure version of Unix hash/salt scheme

Password Attacks

• Dictionary attacks: use a large dictionary of possible passwords to try against the password file
• Rainbow table attacks: pre-compute tables of hash values for all salts
• Can be countered by using a sufficiently large salt value and a sufficiently large hash length

Password Crackers

• John the Ripper: open-source password cracker that uses a combination of brute-force and dictionary techniques
• Exploits the fact that people choose easily guessable passwords

Defending Against Password Attacks

• Use sufficiently large and unique salt values for each user's password
• Use complex password policies to force users to pick stronger passwords

Password Selection Strategies

• User education: inform users about the importance of using hard-to-guess passwords
• Computer-generated passwords: can be difficult for users to remember
• Reactive password checking: system periodically runs its own password cracker to find guessable passwords
• Complex password policy: system checks to ensure the password is allowable

Proactive Password Checking

• Rule enforcement: specific rules that passwords must adhere to
• Password checker: compile a large dictionary of passwords not to use
• Bloom filter: used to build a table based on hash values

Token-Based Authentication

• Card-based tokens: hardware tokens
• Two primary ways to authenticate using mobile phones: SMS messages and software apps