Passwords Flashcards
What is a unix-style password?
Since it is a bad idea to store passwords in plaintext, we do a one way hash with collision resistance, and store this hash of the password.
How do you validate a hashed password?
The user inputs their username and password. The system will hash this password and compare the result of this to the hash they have stored in their database.
True or false, in unix, the system does not need to know your password?
True, it only needs to know your hashed password.
What is the difference between a dictionary attack and a precomputed dictionary attack?
A dictionary attack is simply brute force, where the attacker will compute a hash for a given password attempt and try it. This can be efficient as an offline attack. A precomputed hash attack is when the attacker has already computed a number of common passwords into hashes, so can directly compare these to the password file. It is much quicker than dictionary attack.
What is a password salt?
For each password, generate a random value, and hash the password together with this value. H(p + s).
You can store the salt in plaintext in the password file.
Name some advantages of salting? Also, how long is a unix salt typically?
The same password should created different hashes, as the salt will be different. It prevents precomputed hash attack. If we perform the hash multiple times, it makes it even harder for attackers.
Unix salts are up to 16 characters.
Where are hashed passwords stored?
etc/shadow, which is readable only to the system admin.
What is stored in etc/passwd?
This is a public directory, and contains various information about user accounts, but it does NOT contain the hashed passwords. These are in etc/shadow.
What is a disadvantage of having a difficult to remember password?
You are more likely to write it down, use it for multiple accounts, or be slow at typing it (which could make it vulnerable to over-the-shoulder attacks)
Name some ways we can make it harder to attack someone’s password?
Artificially slow down how long it takes to check a password. Limit the number of password attempts. Prevent popular passwords from being used. Train people not to use personal information in passwords.
What are three ways we could strengthen passwords?
Biometrics, passphrases, graphical images
