Passwords Flashcards

1
Q

What is a unix-style password?

A

Since it is a bad idea to store passwords in plaintext, we do a one way hash with collision resistance, and store this hash of the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you validate a hashed password?

A

The user inputs their username and password. The system will hash this password and compare the result of this to the hash they have stored in their database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or false, in unix, the system does not need to know your password?

A

True, it only needs to know your hashed password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between a dictionary attack and a precomputed dictionary attack?

A

A dictionary attack is simply brute force, where the attacker will compute a hash for a given password attempt and try it. This can be efficient as an offline attack. A precomputed hash attack is when the attacker has already computed a number of common passwords into hashes, so can directly compare these to the password file. It is much quicker than dictionary attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a password salt?

A

For each password, generate a random value, and hash the password together with this value. H(p + s).
You can store the salt in plaintext in the password file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name some advantages of salting? Also, how long is a unix salt typically?

A

The same password should created different hashes, as the salt will be different. It prevents precomputed hash attack. If we perform the hash multiple times, it makes it even harder for attackers.
Unix salts are up to 16 characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Where are hashed passwords stored?

A

etc/shadow, which is readable only to the system admin.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is stored in etc/passwd?

A

This is a public directory, and contains various information about user accounts, but it does NOT contain the hashed passwords. These are in etc/shadow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a disadvantage of having a difficult to remember password?

A

You are more likely to write it down, use it for multiple accounts, or be slow at typing it (which could make it vulnerable to over-the-shoulder attacks)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name some ways we can make it harder to attack someone’s password?

A

Artificially slow down how long it takes to check a password. Limit the number of password attempts. Prevent popular passwords from being used. Train people not to use personal information in passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are three ways we could strengthen passwords?

A

Biometrics, passphrases, graphical images

How well did you know this?
1
Not at all
2
3
4
5
Perfectly