025 Identity and Privacy - 025.1 Identity and Authentication (weight: 3)

Questions and Answers

What is a potential security risk of using security questions for password recovery?

• They require complex algorithms to store securely.
• Answers can be easily obtained through social media. (correct)
• They are not recognized by most services.
• They are difficult to remember for most users.

Why is it important to protect answers to security questions similarly to passwords?

• They are less important than regular passwords.
• They are always encrypted by the service.
• They can provide access to security-sensitive accounts. (correct)
• They do not require regular updates.

What can happen if an attacker gains access to an email account during password recovery?

• They can only reset that specific password.
• They can improve their own password management.
• They will be locked out of other services.
• They can request recovery links for multiple services. (correct)

What is an example of credential stuffing?

Testing previously leaked passwords on different accounts. (B)

What is a suggested practice when using a password manager regarding security questions?

Provide random answers and document them. (C)

What is the primary purpose of authentication in digital identity management?

To verify the identity of a person or device (D)

What is the main role of authorization in access management?

To check the permissions of an identified user (B)

Which statement accurately describes digital identity?

Represents the combination of access credentials and permissions (B)

Which of the following can be considered an identifications characteristic of a user?

A unique password known only to that user (D)

What risk do passwords face in digital identity management?

They are susceptible to various types of attacks (D)

What is accounting in the context of access management?

The documentation of resource usage by a user or device (B)

Why is it essential for accessing personal data to be limited only to authorized individuals?

To prevent unauthorized transactions and data breaches (D)

Which of the following best describes the relationship between access credentials and actions performed in a service?

Access credentials determine the actions a person can take within a service (C)

What is a primary function of password managers?

Generate random passwords (D)

Which element is essential for accessing a password manager's database?

A main password or certificate (D)

How does multi-factor authentication increase security?

By adding a second verification method (D)

What is the function of One Time Passwords (OTP)?

Passwords that can only be used once (D)

What is a key characteristic of Time-based OTP (TOTP)?

Generates passwords that are valid for a set time interval (B)

What does the acronym MFA stand for in the context of security?

Multi-Factor Authentication (C)

Which method is NOT typically part of multi-factor authentication?

Something you draw (like a signature) (C)

Which type of password manager requires internet access to function properly?

Online password manager (C)

What is a potential risk of using online password managers?

Dependence on the service's availability and security (D)

What signifies that a compromised password might have been leaked?

Automatic notifications from certain services (C)

What is the purpose of encryption in password managers?

To secure the database against unauthorized access (D)

What is a feature of Keepass2 as an offline password manager?

Allows synchronization between systems (C)

In multi-factor authentication, what does 'knowledge' typically refer to?

The user's password (B)

Which is an example of a characteristic used in multi-factor authentication?

Fingerprint (C)

What is a fundamental characteristic that passwords should not possess?

They should not have meanings. (A)

Why is it suggested that passwords should not be changed too frequently?

Frequent changes lead to easier passwords. (D)

What is the primary purpose of using a unique password for each service?

To limit damage in case of compromise. (A)

What is a significant risk associated with storing passwords in plaintext?

Service operators could misuse them. (A)

How does an attacker typically conduct a brute force attack?

By trying all possible combinations of passwords. (C)

How can password complexity be effectively increased?

By including a mix of characters. (A)

What is the function of a hash in password management?

To create a fixed-length representation of the password. (B)

What is a weakness of using rainbow tables in password attacks?

They cannot be used with salted passwords. (B)

What technique is used to reinforce hashes against rainbow table attacks?

Incorporating salts into the hashing process. (C)

What is a common approach behind dictionary attacks?

Utilizing known words and phrases. (D)

What does the term 'credential stuffing' refer to?

Using stolen credentials to access different services. (B)

What is the effectiveness of using the same password across multiple services?

It poses a significant security risk. (D)

What is the impact of increasing password length?

It dramatically increases potential combinations. (A)

Why should services avoid storing passwords in clear text?

It exposes users to identity theft risk. (A)

Study Notes

Digital Identities

• Importance of verifying identities when using digital services to protect personal data.
• Contract parties must be clearly identified for legal agreements.
• Public administrative services should only be accessed by authorized individuals.

Access Management Phases

• Authentication: Confirming a user or device’s identity through username, password, and a second factor.
• Authorization: Checking the permissions of a user or device after identity verification.
• Accounting: Logging actions taken by a user or device to monitor resource utilization.

Key Components of Digital Identities

• Access credentials (username and password) define a user's digital identity.
• Secure access credentials are critical for performing actions such as signing contracts or accessing personal data.

Identification Features

• Users typically have a username, often their email address, alongside a password for identification.
• Passwords should be known only to the user to validate requests safely.

Password Characteristics

• Passwords must avoid meaningful words or easily obtainable information (e.g., birthdays).
• Emphasizes the necessity of complex and random passwords to reduce the risk of password guessing.
• Regular password changes may lead to simpler password choices; unique passwords for different accounts are crucial.

Password Security Analysis

• Each additional character in a password exponentially increases possible combinations.
• For instance, a 10-character password using digits and letters yields over 430 trillion possibilities.

Password Attack Types

• Brute Force Attacks: Guessing passwords by trying all combinations; time-consuming and can involve predefined lists of common passwords.
• Dictionary Attacks: Using pre-compiled lists of words and common passwords combined with extensions or alterations.
• Credential Stuffing: Utilizing compromised credentials from one service to access others.

Risks Associated with Plaintext Passwords

• Storing passwords in plaintext makes them susceptible to theft and misuse.
• Advocates for hashing passwords to protect against unauthorized access.

Password Hashing and Security Methods

• Passwords should never be stored in plaintext; use hash functions to store hashed values instead.
• Rainbow Tables: Precomputed tables to reverse hash values into their original passwords, highlighting the need for secure password storage practices.
• Salted Hashes: To prevent recognition from rainbow tables, unique random characters (salts) are added to passwords before hashing.

Monitoring Leaked Passwords

• Numerous online services collect and allow users to check if their credentials have been compromised in data breaches.
• Example service: Have I Been Pwned.

Password Managers

• Tools designed to manage and store user credentials in an encrypted database.
• Generate complex passwords and help users maintain unique credentials across various services.
• Can be either offline (local storage) or online (cloud-based service) with respective pros and cons.

Multi-Factor Authentication (MFA)

• Combines multiple forms of verification: knowledge (password), possession (hardware token), and inherent traits (biometrics).
• Adds an additional layer of security against unauthorized access.

One-Time Passwords (OTP)

• Tokens that can only be used once, often generated by hardware tokens or authenticator apps.
• Two types include:
  • HOTP: Utilizes a counter and shared secret to generate a verifiable hash.
  • TOTP: Employs time-based values alongside a shared secret to continually refresh the authentication token.

Password Recovery Procedures

• Techniques for resetting passwords include security questions and recovery emails.
• Security questions are prone to guesswork due to their often publicly available answers.
• Recovery emails pose a risk if attackers gain access to the associated email accounts.

Conclusion

• The security of digital identities and credentials requires a multifaceted approach, highlighting strong passwords, effective user authentication methods, frequent monitoring, and solid password management practices.