set320 - Identification and Authentication Cunsheng Ding...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Identification and Authentication Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk User Identification & Authentication • Is he/she a registered user at the system? (user identification) • Can he/she prove who he/she is? (user authentication) C. Ding - COMP4631 - L20 ¡ Username and Password • Username : identification purpose • Password : authentication purpose • 3 F N B S L ¡ 5 I F N P T U MZ V T F E B Q Q S P B D I U P J E F O U J G J D B U J P O B O E B V U I F O U J D B U J P O ¡ C. Ding - COMP4631 - L20 ¢ Problems with Passwords • Password guessing by attacker • Compromise of system’s password file • Theft, accidental disclosure, forced disclosure C. Ding - COMP4631 - L20 ¡ Guessing a Password • Exhaustive search : try all possible combinations of valid symbols, up to a certain length. • Intelligent search : search through a restricted name space, e.g., names of friends and relatives, car registration number. C. Ding - COMP4631 - L20 ¡ Defenses by User • Changing default password : delivered system has a default password. • Password length : thwart exhaustive search • Password format : mix upper and lower case symbols and numerical characters. • Avoid obvious passwords : birth date, etc. C. Ding - COMP4631 - L20 ¡ The Dilemma • Passwords of complex formats are hard to memorize. If you choose such one, you may have to write it down somewhere and hide it in your office. But this is also dangerous. • Passwords of simple formats are easy to memorize, but do not offer good security. • Question : What do you do in practice? C. Ding - COMP4631 - L20 ¡ Password Security by System (1) • Password checkers : The system checks passwords against some dictionary of ‘weak ’ passwords. • Password generation : some operating systems include password generators producing random but pronounceable passwords. C. Ding - COMP4631 - L20 ¡ Password Security by System (2) • Password aging : in many systems an expiring date can be set, to force a user to change his password. • Limit login attempts : the system can monitor unsuccessful login attempts and react by locking the user account completely or at least for a certain period of time. C. Ding - COMP4631 - L20 ¡ Password Security by System (3) • Inform user : after a successful login, the system can display the time of the last login and the number of failed attempts since then, to warn the user about recent attempted attacks....
View Full Document

Page1 / 39

set320 - Identification and Authentication Cunsheng Ding...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online