Password Security Flashcards
(12 cards)
What is a password?
A shared secret used to
gain access to a system
* Known to:
* A user of the system
* The system itself
Authentication
- Authentication is the process of verifying an actor’s identity
- Critical for security of systems
- Permissions, capabilities, and access control are all
contingent upon knowing the identity of the actor
Why is obtaining a password
important?
- Obtaining a user’s password can be among the first steps into gaining access to a system
How Strong is a Password?
A password’s strength depends on how long it takes an attacker to guess it.
Attackers often try all possible combinations of characters (brute-force).
Longer passwords are stronger because the number of possible combinations increases exponentially with length
How to measure uncertainty with
Entropy
- Minimum uncertainty when:
- You know an event will definitely happen
- You know an event will never happen
- Maximum uncertainty when:
- Probability of events is the same
Why is a high entropy desirable?
A higher entropy implies a greater number of combinations of symbols
that need to be checked which increases the time to crack a password
So, the implication is that the higher the entropy of a password, the greater
its strength
cons of entropy
People don’t create passwords with equal chances for each character.
Some symbols/letters are used more often than others (depends on language).
The next character often depends on the previous ones (not truly random)
Problem: Password File Theft
- If the passwords are plain text, what happens?
- The attacker can now log-in as any user, including
root/administrator - Passwords should never be stored in plain text
Hashed Passwords
- Key idea: store hashed passwords
- Use one-way cryptographic hash functions.
- Good examples: sha256, sha512, sha3, shake
- Bad examples: md5, crc, sha1
- Easy to go from input to a hash, hard to find input from hash
Cryptographic hash function Transforms input data into scrambled, fixed-size output.
Deterministic: Same input always gives the same output
cons of bad hashes
Hash Collisions
Bad hashes (like MD5, SHA-1) are vulnerable to collisions, where two different inputs produce the same output.
This violates one of the key properties of a secure hash: collision resistance.
Limited Output Size (Pigeonhole Principle)
Hashes have a fixed size (e.g., SHA-1 = 160 bits), but input size can be infinite.
Eventually, different inputs must map to the same output, allowing collisions.
Hardening Password Hashes
Problem: Cryptographic hashes are deterministic
→ Same input always gives the same output
→ So attackers can precompute hash lists (rainbow tables) to crack passwords.
Solution: Use a unique salt for each password
→ A random value(S) added to the password before hashing
→ Makes hashes unique, even for identical passwords.
Stored passwords should always be salted to make them unique and slow down attacks.
Salting forces attackers to brute-force each password separately (no reused hash lookups).
how to make salted passwords safer
Normal hash algorithms are too fast, allowing GPUs to brute-force passwords easily.
Solution: Use specially designed slow hash functions like bcrypt, scrypt, PBKDF2.
These algorithms have a work factor to increase calculation time, making attacks slower.
scrypt also requires a lot of memory, making brute-force attacks even harder.
