SB 11: Authentication and Passwords Flashcards

1
Q

What does authentication stand for and by what basic process can it be achieved?

A

The binding of an identity to a principal. External entities must provide information to the system to confirm its identity.

Process:
1. Obtaining authentication information
2. Analyze the information
3. Determine if the information is associated with the entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is salting?

A

With password salting, a random piece of data is added to the password before it runs through the hashing algorithm, making it unique and harder to crack.

In cryptography, a salt is random data fed as an additional input to a one-way function that hashes data, a password or passphrase. Salting helps defend against attacks that use pre-computed tables (e.g. rainbow tables), by vastly growing the size of table needed for a successful attack. It also helps protect passwords that occur multiple times in a database, as a new salt is used for each password instance. Additionally, salting does not place any burden on users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the difference between and online and an offline dictionary attack?

A

Offline: All information required to crack the password is downloaded off of the system, giving the attacker “infinite” time to crack them. Infinite in the sense that they have all the time they need to crack them provided the passwords aren’t changed.
Online: cracking the password whilst in the system. Can make use of the authentication functions (the part that verifies identity), if other information is unavailable, to crack them. Difficult to prevent if authentication functions are the means of breaking them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some ways of preventing an online dictionary attack?

A

Back-off: increases the time between each failed attempt to authenticate.
Disabling: if n consecutive attempts fail the account is disabled.
Jailing: gives the unauthenticated user access to a limited part of the system. All actions performed by the attacker are recorded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some classes of authentication methods?

A

Something the entity:
1. is
2. knows
3. has
Extra:
4. does
5. someplace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some ways a password can be cracked?

A

Rainbow tables
Try likely/probable
Dictionary attacks
Look for them
Ask the user (social engineering)
Eavesdropping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly