User Authentication Flashcards
(14 cards)
What are the 3 steps of offline dictionary attacks?
1) attacker gets a password file 2) attacker gets an encrypted/hashed password 3) attackers tries password from dictionary of common passwords, and compares with the encrypted/hashed one
What are 3 countermeasures to offline attacks?
Store hash of password, add password to salt, keep passwords away from userIDs
What are 3 properties of Hash Functions?
1) Non reversible (use hash to hash, cannot use to unhash) 2) Fixed size produced 3) Hash produced is unique
What are 4 steps to hash salting?
1) Get password 2) Add salt 3) Compute hash 4) Store hash and salt
What are Rainbow Tables?
Precalculated tables for reversing hash functions
What are 2 positives of Rainbow Tables?
Rainbow tables do not take much space, brute force takes much more time
What are the two steps of User Authentication?
Identification, Verification
What are three approaches to authentication?
What you know (password), what you have (a key), who you are (fingerprint)
Attack against Password Authentication: What is Phishing as an attack? Countermeasure to this Phishing?
Make a fake website that user puts password into. Server-side authentication so you know server is legit
Attack against Password Authentication: What is Interception as an attack? Countermeasure to this Interception?
Attacker intercepts password being written. Encrypt communication between users and websites
What are 2 measures against password brute force attacks?
Lock out after certain amount of attempts, Password policies (e,g, minimum password length)
What are 2 ways of measuring the effectiveness of a password?
Password Strength, Entropy
How is Password Strength calculated?
|Alphabet| ^ length of password
How is Entropy calculated?
n * log base 2 |a|
