Security Flashcards
What password attack vectors do you know?
- Brute-force attacks
- Dictionary attacks
- Rainbow table
- malware ( screen/key logger etc… )
What is a rainbow table attack? What is a rainbow table?
When hackers have access to your database but all passwords are encrypted. Then they try to find with what hash function it was encrypted and try to decrypt it back.
A rainbow table is a database that is used to gain authentication by cracking the password hash. It is a precomputed dictionary of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a particular hash
What is salt?
A random unique string used to strengthen weak passwords. A salt is simply added to make a password hash output unique.
What is password stretching?
Making a password hash slower to compute for any person, including the log-in service and password crackers. One method used to stretch passwords is achieved by iterating the hash-function many times, i.e. storing Hash(Hash(Hash(Hash…(Hash(salt||password)))…)
What is pepper?
A pepper is a secret value added to a password before hashing. It can be considered a second salt — another input to change the hash outcome completely. Yet, unlike a salt, it’s not stored in the database along with the hashes.
What Is Browser Fingerprinting?
Browser fingerprinting happens when websites use special scripts to collect enough information about you — such as your browser, timezone, default language, and more — that they can uniquely identify you out of the sea of other internet users
What is Session-Based Authentication?
In the session based authentication, the server will create a session for the user after the user logs in. The session id is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the memory to verify user’s identity and sends response with the corresponding state!
In rails, we encrypt the session with a secret key and decrypt on the server to get user id.
What is a signed token?
It’s part of the token, and the server can verify that it had previously created that signature, and that the signature was created for this particular token. The signature is a hash of the contents of the token plus a secret only the server possesses;
What is a claim?
Claims are a predefined set of profile information about the user such as the user’s name, the profile’s URL, or whether the user’s email address has been veri‐
fied.
What is Authorization Code?
Authorization Codes are used in redirection-based authorization flows. A code can be used only once, and a maximum lifetime of 10 minutes is recommended by the official specification
What is Access token?
Access Tokens are tokens with a short lifetime that are used to access protected resources.
What is Refresh token?
Refresh Tokens allow refreshing Access Tokens after they are consumed or expired.
