SY110 Homework Alpha: ________ Name: ___________________ Page 1 of 2 Collaboration Policy: Default MIDN Last, F. choose one: □ None □ XS110 □ EI with: (or more) □ MGSP □ Discussed with: ______________________ Homework: /SY110/Cyber Security Tools/Hashing & Passwords 1. [ 15 / 10 / 5 / 0 ] Discuss the difference in the security of a web site that stores hashes of users’ passwords with a web site that stores users’ passwords in plaintext. 2. [ 15 / 10 / 5 / 0 ] What three things should a web site do to protect the passwords of its users? 3. [ 20 / 15 / 10 / 0 ] Put an X in each box where the column's protective measure helps protect against the attack type. Note: Read the student notes before you answer. Protective Measure / Attack Type Choosing a Strong Password Two-Factor Authenticati on Password Throttling & Account Lockout Hashing & Salting Password Stretching Key Logger Physical Torture Offline Attack Online Attack 4. Regarding password strength. a. [ 5 / 3 / 0 ] Make up a strong password. DO NOT enter a password you otherwise use. b. [ 5 / 3 / 0 ] What properties should a strong password have? SY110 Homework Alpha: ________ Name: ___________________ Page 2 of 2 5. [ 10 / 8 / 5 / 0 ] Match the description on the right to the protective measure or attack type. Answer Measure / Attack Description Throttling Brute Force Offline Attack A. Server stores the 10,000th hash of a password. B. Server is slower to respond to incorrect password entries. C. Authenticate a user by multiple more than just a password. Password Stretching D. Used to mitigate a Rainbow Table attack. E. Attacker is using password-cracking tools against a stolen password file. F. A script is entering username and password information, Password Expiration trying all possible passwords of length n. G. User entered data is captured from the user's local Key Logger system and sent to the attacker. Two-Factor H. Attacker continues to guess passwords until one works Authentication I. Change password every 90 days so that the attacker only Online Attack has a limited time to crack and use a password Hashing & Salting 6. Suppose Mal is a bad guy with an account at bigbuystores.com, which hashes passwords, but does not use salt. Mal steals the password file from bigbuystores.com and starts looking through it. Mall’s username is cypher, and notices that the hash value for user penelope1 is the same as his hash value. a. [ 5 / 3 / 0 ] What does that mean? b. [ 5 / 3 / 0 ] Why is it a lucky break for Mal, the bad guy? c. [ 5 / 3 / 0 ] Why wouldn't this happen if bigbuystores.com used salt? 7. [ 15 / 10 / 5 / 0 ] Explain why that even if a web site used hashing and salting, its users' passwords would still be in danger if the web site used HTTP instead of HTTPS for the login pages? Note: "because HTTP is insecure" is insufficient, specifically explain the insecurity.
© Copyright 2024 Paperzz