(Review Questions) User Authentication

  • Due No Due Date
  • Points None
  1. The rainbow table attack is when an attacker precomputes the hashes of billions/trillions of passwords to expedite the password cracking in case the website database is breached. If a website uses the following hashing scheme what is/are the problem(s) can you spot: When a user u registers with the password w, the website stores {u, SHA256(u||w)} in the password database? What if the server stores {u,k, SHA256(w||k)}, where k is a randomly chosen number between 0 and 255 (one byte) long? (‘||’ denotes string concatenation.)  (Related question) Why should salts be chosen at random?
  2. Users often make typographical mistakes while typing their passwords. A website wants to help users find they entered a mistyped password. Their strategy is the following. Let w=(c1, c2, ... , cn). The server takes all the substrings of w of length 3 and hashes them separately. So, for example, if the password is `bucky` the server stores a set of hashes {H(buc), H(uck), H(cky)}. What is the issue with this hashing approach? Can you find an attack to recover the user password (e.g., ‘bucky’) easily from the set of hashes? 
  3. What is the main difference between PBKDF2, BCrypt, and SCrypt? Why simple SHA256 is not good enough for hashing passwords?
  4. If you have a computer that can perform 10M sha256 hashes per second, how much time will it take to break a sha256 hash of a 6-character password (containing only ASCII letters and digits) via the brute-force attack? 
  5. Why is “CorrectHorseBatteryStaple” not a secure password? What makes a password secure against a dictionary attack? Note in the homework M@dis0n wasn’t secure despite having a capital letter, a digit, and a symbol. Does password policy necessarily help improve security of passwords? 
  6. Why can’t we hash biometrics? How are they stored in devices?
  7. Can the height of a person be used as biometrics? why/why not?
  8. Give one benefit and one drawback of each of the medium of authentication: password, biometrics, and smart cards.
  9. What is TOTP? How does it work? How does DUO security token work? 
0