Skip to content

Introduction to cyber security – Week 2, Authentiation

10/11/2014

Passwords – what are they for?

Identification and authentication – Systems need to uniquely identify each user and prevent impersonation.

Risks and solutions

  • Password sent in plain text
    • Passwords sent over SSL are encypted.
  • Password stored in plain text
    • Hashed version of the password stored in database. Hashing is a one-way process, it cannot be reversed to discover true password.

Attacking passwords

Methods

  • Dictionary attack – uses numerous sources as dictionaries (atlases, reference manuals etc.) to match plain text passwords but also hashes dictionary values to attempt to match hashed passwords.
  • Brute force attack – tries sequence of characters systematically. Very slow.

Prevention

  • Monitor unsuccessful login attempts and lock account after specified number.

Salting

Adding a random value (salt) to plaintext password before hashing.

Hashed password and salt stored on password server.

Random salts for each password required to make process effective.

Advisable to use salt the same size as hashed output, e.g. 256-bit hash should use 256-bit salt.

How to pick a proper password

Password strength checker – https://www2.open.ac.uk/openlearn/password_check/index.html

Password manager

  • Available for your OS
  • Manage passwords on multiple computers
  • Synchronise across multiple computers
  • Good reputation

Two-factor authentication

  • Chip and pin for card payment or cash withdrawals
  • Bank card and card reader for online access
  • Password and verification code sent via sms – e.g. Google website, Facebook


Advertisements

From → Cyber Security

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: