SI110 Spring AY13
choose one:
(or more)
Alpha:___________
□ Received
no help
Homework:
Name:________________________________ Page 1 of 2
□ Received help from:
□ Collaborated with:________________________________________
/SI110/Models and Tools/Hashing & Digital Cryptography
1. Suppose I have a secret string S, and all you have is a scrambled Rubik’s Cube that is
the hash of S, i.e., all you know is what the hashed cube looks like. Explain what you
would have to do in order to find any string that hashes to the same value as S?
10 / 8 / 6 / 0
2. Contrast the security of storing hashes-of-passwords on a system, vs. storing just the
10 / 8 / 6 / 0
passwords themselves.
3. Check each box below for which the protective measure labeling the column helps
30 / 24 / 18 /
protect against attack-type that labels the row. Note: read about online/offline attacks,0
password stretching, throttling, etc. in the notes before you answer this!
| salting
|throttling |password
|two-factor
|choosing a
| & hashing |& lock-out |stretching |authentication |"stong" password
--------------------------------------------------------------------------------an online
|
|
|
|
|
attack
|
|
|
|
|
--------------------------------------------------------------------------------an offline |
|
|
|
|
attack
|
|
|
|
|
--------------------------------------------------------------------------------an attacker |
|
|
|
|
who has
|
|
|
|
|
successfully|
|
|
|
|
installed a |
|
|
|
|
keylogger
|
|
|
|
|
--------------------------------------------------------------------------------an attacker |
|
|
|
|
who has kid-|
|
|
|
|
napped you &|
|
|
|
|
is threaten-|
|
|
|
|
ing you with|
|
|
|
|
torture
|
|
|
|
|
--------------------------------------------------------------------------------4. From the in-class password activity: What things should any responsible website do
to protect the passwords (and thus the identities) of its users?
10 / 8 / 6 / 0
5. Make up a strong password. What properties should a good password have ?
10 / 8 / 6 / 0
password
SI110 Spring AY13
Alpha:___________
Name:________________________________ Page 2 of 2
6. Suppose I'm a bad guy with an account at amazen.com, which hashes passwords, but does
not use salt. I steal the password file from amazen.com and start looking through it. I
notice that the hash for user honeybadger is the same as mine.
a. What does that mean and why is it a lucky break for me, the bad guy?
10 / 8 / 6 / 0
b. Does honeybadger care?
c. Why wouldn't this happen if amazen.com used "salt"?
10 / 8 / 6 / 0
7. Explain why it that, even if a website uses hashing & salting, its users' passwords
would still be in danger if it used http instead of https for the login pages.
Note: the answer "because https is insecure" isn't sufficient. You must explain
specifically what's insecure in this particular case?
10 / 8 / 6 / 0
Page 2 of 2