Hashing and Passwords

Question 1

What is Hashing?

Answer 1

• Based on Cryptographic methods
• Takes a normal mesage, and returns as a fixed-sized output
  
  • ​Hash value
  • Finite number of outputs

Question 2

What are some Hashing properties?

Answer 2

• Deterministic
  
  • msg1→hash1
• Computationally efficient
  
  • Hashing is (relatively) fast
• Pre-image resistant
  
  • Hashing is one-way
• Collision resistant
  
  • If msg1→hash1 & msg2→hash1, then collision because they are the same

Question 3

What are some Common Hash Functions?

Answer 3

1. MD5
2. SHA1

Question 4

What is the MD5 Hash Function?

Answer 4

• It’s a broken system
• 16 byte output (128 bits)

Question 5

What is the SHA1 Hash Function?

Answer 5

• Slower, more secure
• 20 byte output (160 bits)

Question 6

What are three kinds of offline attacks?

Answer 6

1. Brute Force
2. Dictionary Attack
3. Rainbow Table

Question 7

What are some website/server responsibilities?

Answer 7

• Use Hashing
  
  • (Increases exploit effort in event of password file compromise)
• Use Salt
  
  • (Protect against Rainbow Table Attack)
• Control/restrict access to the password file
  
  • (Reduce likelihood of password file compromise)

Question 8

What are some Client responsibilities?

Answer 8

• Uncommon password
  
  • (Protect against Dictionary Attack)
• Uses multiple character sets
  
  • (A-Z, a-z, 0-9, special characters) (Protect against Dictionary Attack. Protect against (increase effort of) Brute Force Attack)
• Long password
  
  • (Protect against (increase effort of) Brute Force Attack)
• Do not reuse passwords from other accounts
  
  • (Decreases impact in event of password file compromise)

Question 9

How does Two Factor authentication work?

Answer 9

You have to provide:

• Something you know (password, usually)
• Something you have or something you are