SY110 Homework Alpha: ________ Name: ___________________ Page 1 of 2
Collaboration Policy: Default
MIDN Last, F.
choose one: □ None □ XS110 □ EI with:
(or more)
□ MGSP
□ Discussed with: ______________________
Homework: /SY110/Cyber Security Tools/Hashing & Passwords
1. [ 15 / 10 / 5 / 0 ] Discuss the difference in the security of a web site that stores hashes of
users’ passwords with a web site that stores users’ passwords in plaintext.
2. [ 15 / 10 / 5 / 0 ] What three things should a web site do to protect the passwords of its
users?
3. [ 20 / 15 / 10 / 0 ] Put an X in each box where the column's protective measure helps protect
against the attack type. Note: Read the student notes before you answer.
Protective
Measure /
Attack Type
Choosing a
Strong
Password
Two-Factor
Authenticati
on
Password
Throttling &
Account
Lockout
Hashing &
Salting
Password
Stretching
Key Logger
Physical Torture
Offline Attack
Online Attack
4. Regarding password strength.
a. [ 5 / 3 / 0 ] Make up a strong password. DO NOT enter a password you otherwise use.
b. [ 5 / 3 / 0 ] What properties should a strong password have?
SY110 Homework
Alpha: ________
Name: ___________________
Page 2 of 2
5. [ 10 / 8 / 5 / 0 ] Match the description on the right to the protective measure or attack type.
Answer Measure / Attack
Description
Throttling
Brute Force
Offline Attack
A. Server stores the 10,000th hash of a password.
B. Server is slower to respond to incorrect password
entries.
C. Authenticate a user by multiple more than just a
password.
Password Stretching D. Used to mitigate a Rainbow Table attack.
E. Attacker is using password-cracking tools against a
stolen password file.
F. A script is entering username and password information,
Password Expiration
trying all possible passwords of length n.
G. User entered data is captured from the user's local
Key Logger
system and sent to the attacker.
Two-Factor
H. Attacker continues to guess passwords until one works
Authentication
I. Change password every 90 days so that the attacker only
Online Attack
has a limited time to crack and use a password
Hashing & Salting
6. Suppose Mal is a bad guy with an account at bigbuystores.com, which hashes passwords,
but does not use salt. Mal steals the password file from bigbuystores.com and starts looking
through it. Mall’s username is cypher, and notices that the hash value for user penelope1 is the
same as his hash value.
a. [ 5 / 3 / 0 ] What does that mean?
b. [ 5 / 3 / 0 ] Why is it a lucky break for Mal, the bad guy?
c. [ 5 / 3 / 0 ] Why wouldn't this happen if bigbuystores.com used salt?
7. [ 15 / 10 / 5 / 0 ] Explain why that even if a web site used hashing and salting, its users'
passwords would still be in danger if the web site used HTTP instead of HTTPS for the login
pages? Note: "because HTTP is insecure" is insufficient, specifically explain the insecurity.