Context:
How does the Operating System (OS) identify its users:
- Username and password.
- Part of Computer Security
Password Attacks:
- Man In The Middle: Eve sits in the middle of me and the server as I try and authenticate.
- Defence: Encryption using TLS
- Social Engineering: Clicking on a link and submitting your credentials into somewhere where theyâre not meant to go.
- Defences:
- Make it difficult for phish to reach users.
- Make it easy to detect and report phish.
- Protect against phish if they did go through.
- Respond quickly to threats.
- Also just user a password manager.
- Defences:
- Malware: I shouldnât need to explain what it is. But if youâve got it, then they might have key-logger software.
- Defence: 2FA.
- Brute Force Guessing Attack: Guess everything.
- Defence: Rate limit them loser.
- Dictionary Attack: Take common words / passwords and brute force over millions of passwords
- Defence: Also rate limit, but also choose pass-phrases. Include Capatchas (where possible) to prevent bots from guessing.
- Offline guessing attacks: If worst comes to worst and your Databases of passwords got leaked, whatâre you gonna do? Imagine you stored them all in plaintext. Then every user you had is now compromised.
- Donât Encrypt Passwords: If hacker could steal passwords, they can likely steal the key as well. Anyone with the key can view passwords.
- Donât Just Hash Passwords: If multiple people share passwords - itâll be pretty easy to guess what everyone is with a frequency analysis.
- Salt and Hash Passwords!: Get a password, add a random string to it and hash it. Every user has a unique salt.
- Additionally, use a slow hash function!
Just use MFA and Password Manager!!!