Password Authentication Flashcards
What are the two standard security functions?
IDentification of yourself as an authorised user
Authentication of yourself to the system as that user
What is an entity?
A user or a process in a system
What do we need to determine about the entity for authentication?
What the entity knows - Password, Secret
What the entity has - badge, token
What the entity is - biometrics
where the entity is - IP, Geo Location
What is Gollman’s principle of security?
It is important to determine which layer of the system the security mechanism should be placed at.
IE: Applicaiton, OS, Kernel, Hardware…
What must a system store about an entity or principal in order to allow authentication?
Set of authentication information Set of complementary information Set of complementary functions Set of authentication functions Set of selection functions
What is the set of authentication information and what is it used for?
The set of specific information required by entities to prove their identity (Passwords, tokens etc.)
This is used to bind an entity to an identity.
What is the set of complementary information and what is it used for?
Information stored on the system to validate the authentication information.
What are the complementary functions used for?
These functions generate the complementary information given the authentication information
What is the set of authentication functions?
These are the functions that verify identity by returning whether or not the login criteria has been met.
What is the set of selection functions?
Set of functions that allow an entity to create or alter the authentication and complementation functions, such as change passwords or request a new ID.
What is the password space?
The set of all password (all chars, in every combination, that can be in a password)
What is an attack vector in almost all modern public systems?
Authentication functions are always available and therefore always an attack vector
What are some protection mechanisms for authentication functions?
Exponential backoff: Wait time is x^n-1 for each n attempts.
Disconnection after N attempts
Jailing: Disable the account after N unsuccessful attempts.
What are the problems with using passwords?
Loss
Disclosure - either stolen or given
User - more passwords needed but same used across many sites.
Revocation - Disclosure of password to admin.
What are the hazard points of physical password entry?
Shoulder surfing
Interception of transmissions over the network
Keyboards can be adapted
Door entry pins etc have erosion and grease marks
How can the storage of passwords be protected?
Encrypt password file
Store one-way hash of the password
What are the attacks on password systems?
Brute force attack
Dictionary attack
What is a brute force attack on passwords?
A brute force attack is an attack that uses repeated trial and error with a random password generator.
What is a dictionary attack on passwords?
Common word list or word seed function is used to test common words for the password.
What are the possible defences against password attacks?
Allowing finite login attempts
Insisting on rules such as seeding or increasing the password space by requiring numbers, special characters etc.
Why does increasing the password length and not allowing common passwords improve security?
Takes more time to guess as the password space increases
What do users tend to make password choices on?
Username Real name Computer name Dictionary words Reversed dictionary words
What is a challenge-response?
A challenge-response protects users if an attack has taken place by changing the input required to authenticate each time to confirm identity.
Challenge-response is coupled with the user’s password and hashed, then compared at the server side to authenticate.
What is password entropy?
The size of the password space. The higher the entropy, the harder it is to crack the password.
