Passwords

Question 1

Password Storage forms(3)

Answer 1

1. Plaintext(bad)
2. Encrypted(fair)
3. Hashed(good)

Question 2

Password related techniques(4)

Answer 2

1. Password storage forms
2. Password policies
3. Salting passwords
4. Alternative password forms

Question 3

Types of passwords(4)

Answer 3

1. Passphrases: user enters long phrases/sentences that are hashed to become passwords
2. One Time Passwords
3. Visual Passwords
4. Picture Passwords

Question 4

One way functions properties and example

Answer 4

• ensures password security
• easy to compute and hard to reverse
  eg. hash functions: input of arbitrary length produces output of fixed length

Question 5

Hash functions properties(2 general)

Answer 5

1. Preimage resistance: given hash value y, computationally infeasible to calculate x where H(x)=y
2. Collision resistance: computationally infeasible to find pair(x,y) where x!=y and H(x) = h(Y)

Question 6

Hash functions examples for crypto and password hashing(2 each)

Answer 6

crypto: SHA256, KECCAK
password hashing: ARGON2, bcrypt

Question 7

Plaintext password and 1 -ve

Answer 7

claimant password checked against password DB
-ve: No protection against attacker, dispute over real user

Question 8

Hashed passwords

Answer 8

• only hashed password stored
• claimant password gets hashed and checked against hashed password DB
• protection against hacker

Question 9

Attack on passwords(2)

Answer 9

1. Offline Guessing Attacks
   - Exhaustive attacks
   - Dictionary attacks
2. Phishing and Spoofing

Question 10

Offline Guessing attack overview + why it is a threat + 3 incidents

Answer 10

• attacker gets hashed password and attempts to guess passwords
• threat if user uses same passwords for different accounts and due to server hacks or traffic sniffing
• password incidents: SingHealth breach,Adobe breach, Linkedin password leaked

Question 11

1. Brute force attack + Solution

Answer 11

• guess password by going through passwords and hashes to check for match
  Sol: Increase space of possible passwords, measured with password entropy 2^k

Question 12

Password entropy for dummies

Answer 12

2^k = (number of character types)^length of password

Question 13

2. Dictionary Attack

Answer 13

• can attack hashed passwords
• exploit weakness in human picked passwords based on words in natural languages
• same password has same hash value
  1. Guess commonly used passwords
  2. Compute hash values
  3. Look for same hash value in password file
• sped up with precomputed hash table
• cheap to crack passwords due to high speed hardware and cloud services
• Strong password: modern hashing algo + hashing best practices

Question 14

Pre computed hash table

Answer 14

• contains password and their hashes
• with n bits and k password possibilities, table is size k x n
• NOT practical if k is large(ideal)

Question 15

Password salting

Answer 15

• prevents precomputed hashes being effective
• salt(random string) added to password before applying hash function
• diff salt => diff hashes
• salt of n bit: needs 2^n hashes for same password

Question 16

Password Storage summary

Answer 16

• store passwords to prevent them from being obtained by attacker even if DB compromised
• slow down offline attacks by choosing hash algorithms that are resource intensive/slow, work factor was changed

Question 17

Hashing VS Encryption

Answer 17

• passwords hashed NOT encrypted
• Hashing: one way function to check passwords
• Encryption: two way function to recover original plaintext password using key

Question 18

Password policies(6)

Answer 18

1. Set a password for attacker to guess
2. Change default password
3. Avoid guessable passwords: min length, variety
4. Password ageing: expiry dates + prevent reuse of passwords
5. Limit login attempts
6. Inform user of last login time and number of failed logins since then

Question 19

One Time Password Overview + 1+ve

Answer 19

+ve: tackles issue where stolen passwords reused
- generates list of passwords where each password only used once
- Lamport’s OTP: one way function to generate password possibilities

Question 20

Protecting password file + methods(3)

Answer 20

OS has file with usernames and passwords
1. Cryptographic protection
2. Access Control
3. Combination of above

Question 21

Failure Rates

Answer 21

• measure of similarity between reference features and current features
• user accepted if match above a threshold
  i) False positive: accept wrong user
  ii) False Negative: reject legit user, embarrassment and reduced work efficiency

Question 22

Should you write passwords down?

Answer 22

You can then store in locked drawer BUT still vulnerable to keyloggers

Question 23

How to protect website’s security

Answer 23

1. Ask own security team to test BUT depends on skillsets and possible internal conflicts
2. Get experts in penetration testing BUT depends on skillsets, work commitment, work dedication and cost
3. Open competition, talent from worldwide to fix bugs asap