ChatGPT Chapter 3 - User Authentication Flashcards
User Authentication
The process of verifying an identity claimed by or for a system entity
Two steps in the authentication process
- Identification: Presenting an identifier to the security system
- Verification: confirm binding between the entity and the identifier
4 means of authenticating user identity
- Something individual knows (Password, PIN, answer to security questions)
- Something the individual possesses (Smartcard, electronic keycard, or physical key)
- Something the individual is (Static biometrics like fingerprint, retina or face)
- Something the individual does (dynamic biometrics like voice pattern, handwriting, or typing ryhythm)
What is password-based authentication?
Method where a user provides a name (loginID) and a password, which the system compares with a stored password for that login
Common vulnerabilities of password-based authentication
- Electronic monitoring
- Password guessing
- Offline dictionary attacks
- Specific account attacks
- Popular password attacks
- Workstation hijacking
- Exploiting user mistakes
- Exploiting multiple password use
Example of electronic monitoring
Malware that records every keystroke a user types
Example Offline dictionary attack
attacker obtains database of hashed passwords and compares them against precomputed hash values of commonly used passwords
Example of Specific Account Attacks
Gathering personal information about a user to guess password
Example of workstation hijacking
Attacker accesses a logged-in workstation that was left unattended
Example of Exploiting user mistakes
User leaves password on a sticky note on desk
Example of multiple passwords use
Attacker gains access to one accout and reuses the credentials to access the user’s email or banking accouts
Online vs. Offline password attacks
Online: Requires interaction with a service or resource
Offline: Works with intercepted or stolen data such as password hashes
What are hashed and salted passwords?
Hashed passwords: Passwords transformed using a hash function
Salt: A random value added to each password before hashing to makes attacks harder
Why is salting important in password storage?
It prevents duplicate passwords from being visible in the password file and increases the difficulty of offline dictionary attacks
What are dictionary and rainbow table attacks?
Dictionary attack: Tries commonly used passwords
Rainbow Table Attack: Uses precomputed hash values for faster cracking. Salted passwords counteract this
