passwords Flashcards
(15 cards)
Why shouldn’t passwords be stored in plaintext?
If a plaintext password file is accessed or leaked, all user credentials are exposed. Instead, cryptographic hash functions should be used to store only hashed passwords.
What is CWE-260 and how is it relevant?
CWE-260 refers to storing cleartext passwords in memory or files. It’s a known security weakness and has been found even in products by experienced cybersecurity vendors like SonicWall.
How should passwords be stored securely?
Use a cryptographic hash function to store H(password). For added protection, include a user-specific salt: store H(password, salt), which helps defend against dictionary and rainbow table attacks.
What is the purpose of salting a password before hashing?
Salting ensures that identical passwords result in different hashes, making precomputed attacks (like rainbow tables) ineffective and forcing attackers to compute each hash individually.
How do brute-force capabilities compare between basic and complex passwords?
Simple 8-character lowercase passwords can be cracked in seconds using GPUs. More complex character sets and longer lengths increase cracking time significantly, though still feasible without strong hashing.
What is a major risk with password reuse?
If the same password is used across accounts, a breach in one system can compromise all others. This has led to massive credential stuffing attacks using millions of leaked credentials.
Why is frequent password changing no longer recommended?
NIST guidelines discourage frequent mandatory changes as it leads to predictable behavior like incremental updates. Instead, focus on strong, unique passwords and change only if a compromise is suspected.
What are some issues with password managers and websites?
Password managers struggle with some web authentication features, and many websites don’t implement forms cleanly or follow standards, leading to insecure or unusable password autofill.
What is Kerckhoff’s principle in password hashing?
It states that a system’s security should not depend on secrecy of the algorithm. Instead, only the key (password) must be secret. Therefore, hashing functions must be secure even if known publicly.
What is the benefit of upgrading password hashing schemes?
New schemes are more resistant to current attack methods. A safe upgrade involves using flags to identify hashing methods and migrating hashes during logins or via password resets.
What role do salts and CSPRNGs play in password hashing?
Salts make each hash unique per user. Cryptographically Secure Pseudo-Random Number Generators (CSPRNGs) ensure salts are unpredictable, preventing targeted attacks and improving overall security.
What are the three main types of MFA factors?
- Something you know (password), 2. Something you have (phone, token), 3. Something you are (biometrics). Using more than one creates multi-factor authentication.
What’s the difference between SMS-based and app-based 2FA?
SMS relies on phone numbers, making it vulnerable to SIM-swapping. App-based 2FA relies on device ownership, making it generally more secure as it avoids telecom infrastructure vulnerabilities.
Why is voice biometrics not recommended?
Voice can be recorded or synthesized, making it vulnerable to spoofing. Studies show AI-generated voices and phishing can easily bypass voice authentication systems.
How have fingerprint scanners been bypassed?
Researchers have used 3D printing and AI-generated ‘masterprints’ to spoof fingerprint readers, successfully defeating security in many consumer devices, especially with low FMR thresholds.
