SI110 Homework Alpha: ________ Name: ___________________ Page 1 of 2 Collaboration Policy: Default MIDN Last, F. choose one: □ None □ XS110 □ EI with: (or more) □ MGSP □ Discussed with: ______________________ Homework: /SI110/Cyber Security Tools/Hashing & Passwords 1. [ 15 / 10 / 5 / 0 ] Discuss the difference in the security of a web site that stores hashes of users’ passwords with a web site that stores users’ passwords in plaintext. 2. [ 15 / 10 / 5 / 0 ] What three things should a web site do to protect the passwords of its users? 3. [ 20 / 15 / 10 / 0 ] Put an X in each box where the column's protective measure helps protect against the attack type. Note: Read the student notes before you answer. Protective Measure / Attack Type Choosing a Strong Password Two-Factor Authentication Password Throttling & Account Lockout Hashing & Salting Password Stretching Key Logger Physical Torture Offline Attack Online Attack 4. Regarding password strength. a. [ 5 / 3 / 0 ] Make up a strong password. DO NOT enter a password you otherwise use. b. [ 5 / 3 / 0 ] What properties should a strong password have? SI110 Homework Alpha: ________ Name: ___________________ Page 2 of 2 5. [ 10 / 8 / 5 / 0 ] Match the description on the right to the protective measure or attack type. Answer Measure / Attack Description Throttling A. Server stores the 10,000th hash of a password. Offline Attack B. Server is slower to respond to incorrect password entries. Password Stretching C. Authenticate a user by multiple more than just a password. Hashing & Salting Key Logger Two-Factor Authentication Online Attack D. Used to mitigate a Rainbow Table attack. E. Attacker is using password-cracking tools against a stolen password file. F. A script is entering username and password information, trying all possible passwords of length n. G. User entered data is captured from the user's local system and sent to the attacker. 6. Suppose Mall is a bad guy with an account at bigbuystores.com, which hashes passwords, but does not use salt. Mall steals the password file from bigbuystores.com and starts looking through it. Mall’s username is cypher, and notices that the hash value for user penelope1 is the same as his hash value. a. [ 5 / 3 / 0 ] What does that mean? b. [ 5 / 3 / 0 ] Why is it a lucky break for Mall, the bad guy? c. [ 5 / 3 / 0 ] Why wouldn't this happen if bigbuystores.com used salt? 7. [ 15 / 10 / 5 / 0 ] Explain why that even if a web site used hashing and salting, its users' passwords would still be in danger if the web site used HTTP instead of HTTPS for the login pages? Note: "because HTTP is insecure" is insufficient, specifically explain the insecurity.