User Authentication and Password Security Quiz

Questions and Answers

What is one reason why passwords are considered a popular form of user authentication?

Passwords require expensive client-side hardware.

Passwords are compatible with legacy systems. (correct)

Passwords are inherently secure and cannot be compromised.

Passwords provide excellent reliable identification.

Which characteristic pertains to biometrics in user authentication?

Works effectively with legacy systems.

Has a low typical deployment cost per user.

Has excellent reliable identification. (correct)

Requires no client-side hardware.

What is a significant threat to password security mentioned in the content?

Password storage files always use secure hash functions.

The complexity of passwords enhances security automatically.

Passwords can only be fragile if not stored properly.

Users may write down passwords and share them. (correct)

Which authentication technology requires client-side software occasionally?

Tokens

In what way does the password authentication process begin?

The user chooses a password.

What is a guideline for creating secure passwords?

Passwords must not contain more than two paired letters.

How often should passwords typically be changed according to common practices?

Every 60 to 90 days

Why is it important for passwords to be kept secret?

It uniquely identifies the user.

What behavior commonly leads to password disclosure?

Sharing passwords with friends or coworkers.

What practice should users avoid to maintain password integrity?

Reusing previously used passwords.

What is a primary weakness of passwords regarding security?

Software can attempt millions of combinations quickly.

Which of the following is NOT a recommended practice for creating a secure password?

Reusing passwords from previous accounts.

To ensure passwords are hard to guess, which rule should be followed?

Passwords must include at least three character types.

What is the purpose of using a large character set when creating passwords?

To increase the number of possible combinations.

Which of these character combinations should be included in a strong password?

A mix of uppercase, lowercase, numbers, and special characters.

What is the primary benefit of password synchronization for users?

It enables users to remember only one password.

What should password policies enforce regarding user behaviors?

Prohibit password sharing and specify consequences for violations.

Which of the following is a requirement for password synchronization systems?

Synchronized passwords must be strong and changed regularly.

What does the 'intruder lockout' feature accomplish?

It temporarily disables accounts after a number of invalid login attempts.

What issue does 'password chaos' refer to?

Users managing multiple identities and passwords across many platforms.

Study Notes

Housekeeping Notice

• Mute your handphone during classes.

Password Authentication and Biometrics - Chapter 2

• This chapter focuses on password and token-based authentication.

Objectives

• Understanding the use of passwords for authentication.
• Exploring potential threats of password usage.
• Learning about two-factor authentication (passwords and tokens).

User Authentication and Passwords

• Many applications rely on reliable user authentication.
• Authentication methods include:
  • What you have (e.g., CRYPTOCard).
  • What you know (e.g., passwords).
  • Who you are (e.g., biometrics).

Authentication Characterization

• Secrets:
  • Good reliability in identification.
  • Client-side hardware is not required.
  • Client-side software is not required.
  • Low typical deployment cost/user.
  • Works with legacy systems is possible.
• Tokens:
  • Very good reliability in identification.
  • Sometimes requires client-side hardware.
  • Sometimes requires client-side software.
  • Medium typical deployment cost/user.
  • Does not work with legacy systems.
• Biometrics:
  • Excellent reliability in identification.
  • Requires client-side hardware.
  • Requires client-side software.
  • High typical deployment cost/user.
  • Does not work with legacy systems.

Security Threats

• Cost and compatibility with legacy systems make passwords the most common form of user authentication.
• Passwords are simply secret words or phrases.

Basic Password Authentication

• Setup:
  • User chooses a password.
  • Hash of password is stored in a file.
• Authentication:
  • User logs in and provides password.
  • System computes the hash and compares to the stored file.

Password Compromise

• Passwords can be compromised in several ways:
  • Writing them down or sharing them.
  • Guessing them by a person or program trying possibilities.
  • Hacking them when transmitted over a network.
  • Tapping them when stored on a workstation, server or backup media.

Human Factors

• Users often have many passwords for different systems.
• Users have limitations in remembering complex or frequently changing passwords.
• Common passwords (e.g., 123456) are frequently used.
• Many users write their passwords down or store them in a file.

Human Factors (continued)

• Trouble remembering passwords can lead to:
  • Writing down passwords (reducing security).
  • Forgetting passwords (requiring help to reset).
  • Using simple, easily guessed passwords.
  • Reusing old passwords.

Top 20 Most Common Passwords

• Common passwords, such as 123456, qwerty, or password.

Composition Rules

• Password complexity is paramount.
• Passwords should be long (e.g., ten characters or more).
• Include various character types (e.g., uppercase, lowercase, numbers, symbols).
• The set of all possible passwords should be vast. Passwords should not be derived from easily guessed values.
• Should eliminate probable guesses.
• Password rules should ensure the search space is vast and passwords are not too easy to guess.

Possible Password Combination Examples

• Number of possible password combinations are calculated by raising the number of legal character types to the number of password characters.
• Examples of character combinations (0-9, a-z, A-Z) and numbers of possible passwords for various lengths.

Composition Rules (continued)

• Avoid passwords based on user's name or login ID.
• Avoid dictionary words.
• Avoid repeating characters (more than two paired letters.)

Changing and Reusing Passwords

• Regularly changing passwords limits potential damage from compromised ones.
• Many systems force users to change their passwords periodically (e.g., every 60-90 days).
• Reusing old passwords should be avoided.

Secrecy

• Passwords need to be unique identifiers, only known to the intended user.
• Users may share, write down their passwords or place them in easily accessible locations.

Password Synchronization

• Password synchronization is a security process that coordinates user passwords across multiple devices.
• This simplifies user login by having the user remember only one password for various devices.
• A strong password policy helps mitigate guessability by attackers.

Password Synchronization Products

• Examples of password synchronization products (e.g., Microsoft Azure AD, Hitachi ID systems, Mobile Applications).

Password Chaos

• Repeatedly changing the login credentials can lead to security flaws and expose vulnerable systems to danger that cannot be predicted.
• Password chaos impacts the development of e-commerce.

Password Synchronization Requirements

• Very insecure systems should not participate in password synchronization.
• Regularly changing synchronized passwords is crucial.
• Users need to select strong passwords for authentication.

Intruder Detection

• Many systems detect when a user enters an incorrect password multiple times in a short period of time and block access.
• The "intruder lockout" feature prevents brute-force attacks.
• This feature mitigates the risk associated with password guessing attempts by preventing further attempts to attempt guessing credentials or otherwise entering the secure system.

Intruder Detection (continued)

• Limiting intruder lockout to only users—exempting administrator accounts— limits the scope of distributed denial-of-service (DDoS) attacks.
• Setting a high threshold for intruder detection (e.g., 10 failed attempts within 5 minutes) helps to prevent spurious lockouts due to typing errors.
• Quickly clearing lockouts after a period of inactivity reduces impact on legitimate users while maintaining security.

Encryption

• Passwords might need to be transmitted for login, posing a vulnerability.
• Encryption secures data during transit and storage.
• Passwords should be encrypted when on servers or workstations to prevent unauthorized access and interception while also keeping them unreadable for unauthorized users.
• Confidentiality of data is guaranteed by encryption, ensuring only authorized users can access data.
• Ciphers transform data into unreadable form (encryption) and reconstructs it back to the original form (decryption) to protect it from unauthorized interception.

Symmetric and Asymmetric Encryption

• Symmetric encryption uses the same key for encryption and decryption.
• Asymmetric encryption uses two keys (public and private) and encrypting with one requires the opposite key to decrypt.

Hashing Algorithm (MD5)

• MD5 is a hashing algorithm (128 bits).
• Used for verifying files.
• Has a weakness in identifying collisions (two files with the same hash).

Hashing Algorithm (SHA)

• SHA is a secure hashing algorithm, consisting of various versions (e.g. SHA-0, SHA-1, SHA-2, SHA-3).
• SHA-1 (160 bits) is commonly used, though its security is questionable.
• Newer SHA variants, like SHA-2 and SHA-3 are more secure.

Hashing Algorithm (SHA-2 and SHA-3)

• SHA-2 and SHA-3 are stronger variants of SHA.
• SHA-2 exists in various versions (224, 256, 384, 512), and offer increased protection against collisions.
• Approved in 2012, SHA-3 is even stronger for further improvements in security.

Hash-based Message Authentication Code (HMAC)

• HMAC uses a hash function (e.g, MD5, SHA-1) for message authentication.
• It encrypts the message's integrity and authenticity.

Two-Factor Authentication

• Utilizes multiple authentication methods combined to improve security.
• This authentication process often includes something the user knows (e.g., PIN) and something the user has (e.g., ATM card).

Two-Factor Authentication (Needs)

• Increasing remote work and use of mobile devices makes this more important.
• Used to prevent online fraud and malicious cyber-attacks.

One-Time Password (OTP)

• Static passwords (e.g., "john," "password") are easy to guess and crack.
• OTPs use unique, temporary passwords for access.

One-Time Password (OTP) - Types

• Time-based OTPs are synchronized with a server's clock for generating new passwords.
• Challenge-based OTPs involve a specific, time-sensitive challenge generating a new password.

OTP based on Mathematical Algorithm

• Generates one-time passwords using a one-way function starting with a seed that produces new passwords regularly.
• Subsequent seed values may be substituted to further enhance security.

OTP based on Time-Synchronization

• OTPs based on timestamps, synchronized with the servers' clock, reduce the risk of password repetitions.

OTP based on Challenge

• Users receive a time-sensitive challenge from the authentication server or system, which a correct response generates a unique one-time password. This protects from repeated passwords and brute-force attacks.

Description

Test your knowledge on user authentication methods, focusing specifically on passwords and biometrics. This quiz covers important guidelines for creating secure passwords and common practices for maintaining password integrity. Enhance your understanding of the threats to password security and best practices for users.