Authentication and passwords and stuff (week 4) Flashcards
what are the problems with hashing passwords?
- password space is small; skewed distribution towards common pwds chosen by many users
- hashing is fast. the helps the adversary. a laptop can do about 2M SHA256 operations per second
- with reasonable password, adversary can figure out the password of one accound/password per second
what is the technique for slowing down hashing?
slow key-derivation functions
PBKDF2 and BCrypt
slow to compute (good for us!)
have an adjustable cost: make it arbitrarily slow (1 has can cost 1 second – 1000X slower that SHA256
internally these functions rely on performing repeated hashes
how do attacker’s get around the slow hasing?
rainbow tables
table of passwords-to-hash mappings
expensive to compute, but helps efficiently invert hashes afterwards
only needs to be built once for dictionary of common passwords
afterwards, can quickly crack common passwords in any database
what is salting a password? how does it slow down an attacker?
salting: input additional randomness into password hash
the server generates the salt when users register
this prevents the attacker from computing the hash, but attacker can still brute force passwords if they get access to the DB
two things we need to do to send a password over a network:
- send it through an encrypted connection (https)
2. use challenge response protocol
what is the challenge response protocol?
goals:
we want to stop intercepters from learning the password or a hash of the password
we want to prevent the service from learning a password we have for another service that we enter by mistake
how it works: service knows password service sends us a random challenge we send back the random challenge and password H(R || password)
What is entry?
A measure of how much effort it takes to brute force the password
Defined as a function set of possible characters (S) and length (L)
H = log_2(|S|^L)
only true if passwords are sampled uniformly form the set of characters
this is NOT the case. users often have bias towards certain passwords
so the formula is really just an upperbound
do format requirements always translate into higher entropy?
no.
defeat only simplest dictionary attacks
side effect: complicates password generation
how do biometrics compare to passwords in terms of usability?
not that much better in terms of entropy, but here’s some usability info: