Scribd
Upload
577 views

Authentication & Passwords

This document discusses password authentication and improving password security. It describes how passwords can be checked by comparing them to stored hashes or by iterating over the password character by character. It also discusses how adding salts to passwords before hashing helps strengthen security. Common passwords are analyzed from leaked lists to show many users reuse the same popular passwords. The document recommends hashing passwords with salts and using other techniques like challenge-response protocols to improve security over plain password authentication and storage.

Uploaded by

Steven Swafford
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
577 views

Authentication & Passwords

This document discusses password authentication and improving password security. It describes how passwords can be checked by comparing them to stored hashes or by iterating over the password character by character. It also discusses how adding salts to passwords before hashing helps strengthen security. Common passwords are analyzed from leaked lists to show many users reuse the same popular passwords. The document recommends hashing passwords with salts and using other techniques like challenge-response protocols to improve security over plain password authentication and storage.

Uploaded by

Steven Swafford
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

L22: Authentication & passwords

Nickolai Zeldovich 6.033 Spring 2012

Password-based authentication
checkpw(user, passwd): acct = accounts[user] for i in range(0, len(acct.pw)): if acct.pw[i] passwd[i]: return False return True

* Based on Tenex

Password hashing
checkpw(user, passwd): acct = accounts[user] h = SHA1(passwd) if acct.pwhash h: return False return True

Password statistics (leaked list of 32M pws, 2009)

- 5,000 unique passwords account for 20% of users (6.4 million) - Similar statistics confirmed again in 2010 (Gawker break-in)
* Consumer Passwords Worst Practices report by Imperva

Password hashing with salt


checkpw(user, passwd): acct = accounts[user] h = SHA1(acct.pwsalt + passwd) if acct.pwhash h: return False return True

Sitekey

Summary

Authentication using passwords

Passwords can be easy to guess, reused, long-lived

Better password protocols can improve security

Hashing, salting, challenge-response,

Principle: be explicit

Avoid hashing ambiguous messages

You might also like