ITM 820 Lecture Notes - Lecture 3: Password Policy, Keycard Lock, Dictionary Attack

Session 3 user authentication and access control. Password-based authentication: a widely used line of defense against intruders is the password system. It refers to the use of more than one of the authentication means previously listed: strength of authentication systems is determined by the # of factors incorporated. Password vulnerability: offline dictionary attack attacker obtains system password file and compares the password hashes against hashes of commonly used password. Countermeasure is preventing unauthorized accesses to the password file: specific account attack targets specific account and submits password guesses until the correct password is found. Countermeasures include training and enforcement of password policies that make them hard to guess: workstation hijacking attacker waits until a logged-in workstation is unattended. It prevents duplicate password from being visible in the password file. Improved implementation: there are other, much stronger, hash/slat schemes available for unix, the recommended hash function is based on the md5 secure hash algorithm.