Chapter 12 – Authentication – Flashcards
Unlock all answers in this set
Unlock answersquestion
Common word as password (e.g., princess) Short password (e.g., desk) Predictable sequence of characters (e.g., abc123) Personal information (e.g., Hannah)
answer
Weak password - Passwords that use:
question
Method used by most password attacks today
answer
Offline cracking
question
With offline cracking attackers steal password digests, load file onto own computers, and attempt to discover passwords by comparing stolen digests with their own created digests (candidates)
answer
Offline cracking
question
Every possible combination of letters, numbers, and characters is used to create candidate digests then matched against those in stolen digest file
answer
Passwords - Attacks on Passwords - Brute force attack
question
Attacker creating digests of common dictionary words as candidates
answer
Passwords - Attacks on Passwords - Dictionary attack
question
Dictionary attack that uses set of dictionary words and compares it with stolen digests when one known digest (dictionary word) compared to an unknown digest (stolen digest)
answer
Passwords - Attacks on Passwords - Pre-image attack
question
Search is for any two digests that are identical
answer
Passwords - Attacks on Passwords - Birthday attack
question
Variation of dictionary attack. Combines dictionary attack with brute force attack Slightly alter dictionary words by: Adding numbers to the end of the password Spelling words backward Slightly misspelling words Including special characters (@,$,!, or %)
answer
Passwords - Attacks on Passwords - Hybrid attack
question
Creating a large pregenerated data set of candidate digests. Generating a rainbow table requires a signicant amount of time
answer
Passwords - Attacks on Passwords - Rainbow tables
question
______ are much faster than dictionary attacks. Amount of memory needed on attacking machine is greatly reduced
answer
Rainbow tables
question
Stolen passwords now posted on Internet provide key elements for password attacks: Password collections provided attackers insight into strategic thinking of how users create passwords Large corpus of real-world passwords available; because users repeat passwords on multiple accounts, attackers now use these passwords as candidate passwords in their attacks
answer
Passwords - Attacks on Passwords - Password collections
question
Do not repeat characters (xxx) or use sequences (abc, 123, qwerty). Do not use short passwords; strong password should be minimum of 15 characters in length
answer
Passwords | Password Defenses (Complexity)
question
Programs user can create and store multiple strong passwords in single user vault file protected by one strong master password. Users can retrieve individual passwords as needed by opening user file, thus freeing user from need to memorize multiple passwords
answer
Password management applications
question
Instead of encrypting password with another key, password itself is key; LM hash considered very weak function
answer
Password Defenses (Hashing) - Microsoft Windows operating systems hash passwords - LAN Manager (LM) hash
question
More secure password hash algorithm
answer
Password Defenses (Hashing) -Microsoft Windows operating systems hash passwords - New Technology LAN Manager (NTLM) hash
question
Specialized password hash algorithms intentionally designed be slower to limit ability of attacker to crack passwords because requires signifficantly more time to create each candidate digest
answer
Password Defenses (Hashing) - Key stretching
question
Two (2) popular key stretching password hash algorithms are
answer
bcrypt and PBKDF2
question
Random string used in password hash algorithms. Passwords can be protected by adding random string to user's cleartext password before hashed
answer
Passwords | Password Defenses (Salts)
question
Tokens Cards Cell Phones
answer
Common items used for authentication:
question
Typically small device (usually one that can be affixed to keychain) with window display
answer
What You Have | Tokens
question
Authentication code that can be used only once or for limited period of time
answer
Tokens One-time password (OTP)
question
Picture gesture authentication (PGA) for touch-enabled devices Identify specic faces Recall memorable event
answer
Cognitive biometrics Examples
question
Authentication based on actions that user is uniquely qualified to perform
answer
Behavioral Biometrics
question
Attempts to recognize user's typing rhythm Provides up to 98 percent accuracy
answer
Behavioral Biometrics - Keystroke Dynamics
question
If computer in China attempts to access user's bank's website this may be an indication that an attacker
answer
Geolocation
question
A(n) _______is a secret combination of letters, numbers, and/or characters that only the user should know.
answer
password
question
A(n) _____is typically a small device (usually one that can be afixed to a keychain) with a window display.
answer
token
question
Authentication that interprets a users physical whereabouts is known as ______________
answer
Geolocation
question
Using single authentication credential shared across multiple networks
answer
Identity Management
question
When networks are owned by dierent organizations
answer
Federated Identity Management (FIM)
question
One application of FIM using one authentication credential to access multiple accounts or applications, e.g.
answer
Single sign-on (SSO)
question
Introduced in 1999 as .NET Passport, then name changed to Microsoft Passport Network, then Windows Live ID, now ____________
answer
Single Sign-On | Microsoft Account
question
Decentralized open source FIM Does not require specific software to be installed on the desktop. URL-based identity system. One weakness is it depends on URL identier routing to correct server, which depends on domain name server (DNS) that may have its own security weaknesses
answer
Single Sign-On | OpenID
question
Permits users to share resources stored on one site with second site without forwarding authentication credentials. Allows seamless data sharing among sites Relies on token credentials. Replaces need to transfer user's username and password. Tokens are for specific resources on a site for limited time period
answer
Single Sign-On | Open Authorization (OAuth)
question
_________ is a decentralized open source Federated Identity Management (FIM) that does not require specific software to be installed on the desktop.
answer
OpenID
question
Open Authorization (OAuth) is an open-source service that authenticates a user on multiple sites using _________ credentials
answer
token
question
The Active Directory Domain Service policy that can block a login after a specified number of failed logins over a specified time period is named _____
answer
Account Lockout Policy