Student Library

Other Security Topics

5 min read

Password Security

Here are some practices for good password management:

  • Password Complexity
    • Focus on length and randomness.
    • Require a mix of uppercase letters, lowercase letters, numbers, and symbols.
      • While this increases the possible number of passwords, it doesn’t necessarily make it harder to guess if users follow predictable patterns.
  • Password Length
    • The longer the password, the harder it is to crack than a short, “complex” password
  • Password Uniqueness
    • Never reuse passwords for multiple accounts.
      • If one website is compromised, then all your accounts that use the same password will also be at risk.
  • Salting and Hashing
    • Always store salted hashes of passwords using a strong KDF.
  • Password Managers
    • It is a software application that securely stores and manages your passwords.
    • It can:
      • Generate Strong Passwords
      • Store Passwords Securely
      • Autofill Passwords
      • Sync Passwords Across Devices
      • Identify Weak or Reused Passwords
  • Multi-Factor Authentication
    • It adds an extra layer of security beyond just a password. It requires you to provide two or more factors of authentication:
      • Something you know: e.g., your password
      • Something you have: e.g., a security token, a code generated by an app on your phone, a text message/code
      • Something you are: e.g., biometrics

Part 2: Common Attacks

  1. Password-based Attacks
    • Brute-Force Attacks
      • The attacker tries every possible password combination until they find the correct one.
      • Works against very short or simple passwords, but becomes computationally infeasible for longer, more random passwords.
      • Countermeasures: Account lookout, increasing delay.
    • Dictionary Attacks
      • The attacker tries a list of common passwords (most commonly from a dictionary, a list of compromised passwords, or common password patterns).
      • Effective against users who choose weak, easily guessable passwords.
      • Mitigation: Use strong, random passwords that are not in dictionaries. Use KDFs too.
  2. Network-based Attacks
    • Man-in-the-Middle (MITM) Attacks
      • The attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly with each other.
      • Examples: Wi-Fi traffic interception, ARP poisoning, DNS spoofing, TLS/SSL traffic interception/modification.
    • Replay Attacks
      • The attacker intercepts and replays a valid message or data transmission to gain unauthorized access or cause unintended actions.
      • Examples: Intercepting and replaying a login request containing a valid username and password hash.
  3. Attacks Exploiting Implementation Weaknesses
    • Side-Channel Attacks
      • The attacker exploits information leaked during the physical implementation of a cryptographic system, rather than attacking the algorithm itself.
      • Some examples are:
        • Timing Attacks: Measuring the time it takes to perform cryptographic operations.
        • Power Analysis Attacks: Measuring the power consumption of a device while performing cryptographic operations.
        • Electromagnetic Attacks: Measuring electromagnetic radiation emitted by a device.
        • Acoustic Attacks: Analyzing sounds made by a device.
        • Cache Attacks: Exploiting how data in a cache is leaked
  4. Social Engineering and Human Exploitation
    • Phishing
      • The attacker tries to trick the user into revealing sensitive information by impersonating a trustworthy entity.
    • Social Engineering
      • A broader term than phishing. Involves manipulating people into performing actions or divulging confidential information
      • Often relies on psychological techniques rather than technical hacking methods.
  5. Web Application Attacks
    • SQL Injection
      • The attacker injects malicious SQL code into input fields on a web application. If the application doesn’t sanitize user input, the attacker’s code can be executed by the database, which allows them to access, modify, or delete data.
    • Cross-Site Scripting
      • The attacker injects malicious JavaScript code into a website, which is then executed by the browsers of other users who visit the site.
      • Has three types:
        • Stored XSS (Persistent): The malicious code is stored on the server and served to other users
        • Reflected XSS (Non-Persistent): The malicious code is part of a server request and is reflected back in the server’s response, causing the user’s browser to execute the code.
        • DOM-Based XSS: The vulnerability exists only as part of the JavaScript code on a webpage.
  6. Denial-of-Service Attacks
    • Denial-of-Service (DoS)
      • The attacker tries to make a service unavailable to legitimate users by overwhelming it with requests or exploiting a vulnerability.
      • Single device attacking another system.
    • Distributed Denial-of-Service (DDoS)
      • A DoS attack launched from multiple compromised computers (known as a botnet)

Part 3: Cryptography in Cryptocurrencies

Cryptocurrencies are digital or virtual currencies that rely on cryptography for security. They are decentralized (not controlled by a single entity like a bank or government) and typically use a technology called a blockchain.

What is Blockchain?

It is a distributed, immutable ledger of transactions. It is like a shared, public record book that everyone can see, but no one can alter retroactively.

How it works is as follows:

  1. Users create a transaction by sending cryptocurrency from one user (address) to another.
  2. These transactions are grouped together into blocks.
  3. Each block contains a cryptographic hash of the previous block, which creates a chain of blocks, where each block is linked to the one before it.
  4. A network of computers called nodes or miners work together to verify and add new blocks to the blockchain. This process often involves solving a computationally difficult problem
  5. Once a block is added into the blockchain, it would be extremely difficult to change or remove it because doing so would require recomputing the hashes of all subsequent blocks (and convincing the majority of the network to accept the altered chain.)

Graph View