More on Passwords

Question 1

Describe the 4 presented solutions for cracking passwords, their advantages and drawbacks

Answer 1

Solution 1:
List all passwords, for each password calculate hash on the fly, compare to target hash
Pros: simple, no space needed
Cons: high computational effort, same computation for every new hash
Solution 2:
- List all passwords, for each passwords calculate hash, store in db, sort
- for given h(x), look up the hash in db
Pros: lookup simple, small lookup time
Cons: huge db
Solution 3:
- define reduce function f which trims hash, hash function h
- password is hashed with h, reduced with f, hashed with h, … n times
- only store first and last column
-> multiple pw are ‘merged’ to same hash column
Pros: more computation than lookup, less than on-the-fly, more space than on-the-fly, less than lookup, feasible and efficient
Cons: Probability of merging chains is very likely with only one reduction function
Solution 4:
Same as solution 3 but using different reduction functions

Question 2

Name 4 alternatives to passwords

Answer 2

• biometric authentication
• user certificates (hardware and software based)
• use existing auth infrastructure (nPA)
• SSO

Question 3

Name 2 problems with SSO

Answer 3

• privacy: service knows which other services I’m using

- los access to SSO -> lose all related services