Passwords – what are they for?

Identification and authentication – Systems need to uniquely identify each user and prevent impersonation.

Risks and solutions

• Password sent in plain text
  • Passwords sent over SSL are encypted.
• Password stored in plain text
  • Hashed version of the password stored in database. Hashing is a one-way process, it cannot be reversed to discover true password.

Attacking passwords

Methods

• Dictionary attack – uses numerous sources as dictionaries (atlases, reference manuals etc.) to match plain text passwords but also hashes dictionary values to attempt to match hashed passwords.
• Brute force attack – tries sequence of characters systematically. Very slow.

Prevention

• Monitor unsuccessful login attempts and lock account after specified number.

Salting

Adding a random value (salt) to plaintext password before hashing.
Hashed password and salt stored on password server.
Random salts for each password required to make process effective.
Advisable to use salt the same size as hashed output, e.g. 256-bit hash should use 256-bit salt.

How to pick a proper password

• Make passwords hard to guess
• Go as long and as complex as you can
• Consider using a password manager
  • KeePass
  • 1Password – https://agilebits.com/onepassword
  • LastPass – https://lastpass.com/
• One account, one password

Password strength checker – https://www2.open.ac.uk/openlearn/password_check/index.html

Password manager

• Available for your OS
  
• Manage passwords on multiple computers
  
• Synchronise across multiple computers
  
• Good reputation
  

Two-factor authentication

• Chip and pin for card payment or cash withdrawals
  
• Bank card and card reader for online access
  
• Password and verification code sent via sms – e.g. Google website, Facebook