04-03-2013, 04:00 PM
Authentication: Overview
Authentication.ppt (Size: 1.68 MB / Downloads: 30)
What is authentication?
Positive verification of identity (man or machine)
Verification of a person’s claimed identity
Who are you? Prove it.
3 Categories:
What you know
What you have
Who you are
Password authentication
Basic idea
User has a secret password
System checks password to authenticate user
Issues
How is password stored?
How does system check password?
How easy is it to guess a password?
Difficult to keep password file secret, so best if it is hard to guess password even if you have the password file
Passwords
Probably oldest authentication mechanism used in computer systems
User enters user ID and password, maybe multiple attempts in case of error
Usability problems
Forgotten passwords might not be recoverable (though this has been changing recently, see later)
Entering passwords is inconvenient
If password is disclosed to unauthorized individual, the individual can immediately access protected resource
Unless we use multi-factor authentication
If password is shared among many people, password updates become difficult
Password Guessing Attacks
Brute-force: Try all possible passwords using exhaustive search
It’s possible to test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4
Easy to buy more hardware if payoff is worth it
Can make attack harder by including digits and special characters in password
Password Hygiene
Writing down passwords is more secure than storing many passwords on a networked computer or re-using same password across multiple sites
Unreasonable to expect users to remember long passwords, especially when changed often
Requires physical security for password sheet, don’t use sticky notes
Change passwords regularly
Especially if shorter than eight characters
Attacks on Password Files
Website/computer needs to store information about a password in order to validate entered password
Storing passwords in plaintext is dangerous, even when file is read protected from regular users
Password file might end up on backup tapes
Intruder into OS might get access to password file
System administrator has access to file and might use passwords to impersonate users at other sites
Many people re-use passwords across multiple sites