Identification and Authentication CSM27 Computer Security Dr Hans - - PowerPoint PPT Presentation

Identification and Authentication

CSM27 Computer Security Dr Hans Georg Schaathun

University of Surrey

Autumn 2009 – Week 4

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 1 / 32

Introduction Background

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 2 / 32

Introduction Background

Session objectives

Recognise the purposes of (password) identification. Be aware of the potential vulnerabilities in password authentication caused by organisational, human, and technical issues. Be able to identify and apply some security mechanisms for password distribution and management. Draw general security lessons from the familiar scenario of password authentication.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 3 / 32

Introduction Background

A familiar scenario

How many usernames and passwords do you have? How many different passwords do you use?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 4 / 32

Introduction Definitions

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 5 / 32

Introduction Definitions

Identification and Authentication

Identification e.g. giving your username. You reveal your identity to the system. Entity Authentication e.g. giving a password. The process of verifying a claimed identity.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 6 / 32

Introduction Definitions

The purpose of passwords

The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

Introduction Definitions

The purpose of passwords

The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

Introduction Definitions

The purpose of passwords

The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

Introduction Definitions

The purpose of passwords

The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

Introduction Password management

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 8 / 32

Introduction Password management

The bootstrap problem

How do you identify the user when you give him the first password?

How did you get your first password at Surrey?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 9 / 32

Introduction Password management

Forgotten passwords

What do you do if the user forgets his password?

Has anyone ever forgotten the password? What did you do to have it reset?

Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability

an intruder pretend to be an authorised user having forgotten his password.

Misissuing a password is a confidentiality threat

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

Introduction Password management

Forgotten passwords

What do you do if the user forgets his password?

Has anyone ever forgotten the password? What did you do to have it reset?

Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability

an intruder pretend to be an authorised user having forgotten his password.

Misissuing a password is a confidentiality threat

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

Introduction Password management

Forgotten passwords

What do you do if the user forgets his password?

Has anyone ever forgotten the password? What did you do to have it reset?

Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability

an intruder pretend to be an authorised user having forgotten his password.

Misissuing a password is a confidentiality threat

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

Introduction Password management

Forgotten passwords

What do you do if the user forgets his password?

Has anyone ever forgotten the password? What did you do to have it reset?

Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability

an intruder pretend to be an authorised user having forgotten his password.

Misissuing a password is a confidentiality threat

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

Introduction Password management

Forgotten passwords

What do you do if the user forgets his password?

Has anyone ever forgotten the password? What did you do to have it reset?

Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability

an intruder pretend to be an authorised user having forgotten his password.

Misissuing a password is a confidentiality threat

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

Introduction Password management

Verification techniques

Authorised channel

Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery.

Independent witness

Call back someone else, like the requestor’s manager.

Damage limitation

One-time password, forcing the user to change it immediately.

Independent verification channel

Confirmation by a different channel before the password is activated.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Introduction Password management

Verification techniques

Authorised channel

Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery.

Independent witness

Call back someone else, like the requestor’s manager.

Damage limitation

One-time password, forcing the user to change it immediately.

Independent verification channel

Confirmation by a different channel before the password is activated.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Introduction Password management

Verification techniques

Authorised channel

Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery.

Independent witness

Call back someone else, like the requestor’s manager.

Damage limitation

One-time password, forcing the user to change it immediately.

Independent verification channel

Confirmation by a different channel before the password is activated.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Introduction Password management

Verification techniques

Authorised channel

Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery.

Independent witness

Call back someone else, like the requestor’s manager.

Damage limitation

One-time password, forcing the user to change it immediately.

Independent verification channel

Confirmation by a different channel before the password is activated.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Introduction Password management

Related precautions

Do not give a password to a caller on the phone, but call back

• n an authorised phone number.

How do you prevent phishing?

You get an email, allegedly from your bank, asking you to call them

• n a given number or click a given link.

You do not know if the email is genuine. What do you do?

I would visit them by typing a URL I know is correct, or look up the phone number in a different source to call them. Independent, authoritative channel

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 12 / 32

Introduction Password management

Related precautions

Do not give a password to a caller on the phone, but call back

• n an authorised phone number.

How do you prevent phishing?

You get an email, allegedly from your bank, asking you to call them

• n a given number or click a given link.

You do not know if the email is genuine. What do you do?

I would visit them by typing a URL I know is correct, or look up the phone number in a different source to call them. Independent, authoritative channel

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 12 / 32

Introduction Password management

Related precautions

Do not give a password to a caller on the phone, but call back

• n an authorised phone number.

How do you prevent phishing?

You get an email, allegedly from your bank, asking you to call them

• n a given number or click a given link.

You do not know if the email is genuine. What do you do?

I would visit them by typing a URL I know is correct, or look up the phone number in a different source to call them. Independent, authoritative channel

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 12 / 32

Introduction Password management

Related precautions

Do not give a password to a caller on the phone, but call back

• n an authorised phone number.

How do you prevent phishing?

You get an email, allegedly from your bank, asking you to call them

• n a given number or click a given link.

You do not know if the email is genuine. What do you do?

I would visit them by typing a URL I know is correct, or look up the phone number in a different source to call them. Independent, authoritative channel

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 12 / 32

Introduction Password management

Related precautions

Do not give a password to a caller on the phone, but call back

• n an authorised phone number.

How do you prevent phishing?

You get an email, allegedly from your bank, asking you to call them

• n a given number or click a given link.

You do not know if the email is genuine. What do you do?

I would visit them by typing a URL I know is correct, or look up the phone number in a different source to call them. Independent, authoritative channel

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 12 / 32

Attacks Guessing Passwords

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 13 / 32

Attacks Guessing Passwords

Guessing passwords

Typical crime novel

Combination for a safe: your birthday A PIN code: last digits of the wife’s phone number.

Passwords is the same problem

Dictionary attacks Exhaustive searches

Users prefer passwords they can remember.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 14 / 32

Attacks Guessing Passwords

Guessing passwords

Typical crime novel

Combination for a safe: your birthday A PIN code: last digits of the wife’s phone number.

Passwords is the same problem

Dictionary attacks Exhaustive searches

Users prefer passwords they can remember.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 14 / 32

Attacks Guessing Passwords

Guessing passwords

Typical crime novel

Combination for a safe: your birthday A PIN code: last digits of the wife’s phone number.

Passwords is the same problem

Dictionary attacks Exhaustive searches

Users prefer passwords they can remember.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 14 / 32

Attacks Guessing Passwords

Exhaustive attacks

How long does an exhaustive attack take?

Number of passwords Time per password

How do we control the vulnerability?

Longer passwords (mandatory minimum length) Larger alphabet Slow response (at least on repeated attempts) Limit number of attempts

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 15 / 32

Attacks Guessing Passwords

Exhaustive attacks

How long does an exhaustive attack take?

Number of passwords Time per password

How do we control the vulnerability?

Longer passwords (mandatory minimum length) Larger alphabet Slow response (at least on repeated attempts) Limit number of attempts

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 15 / 32

Attacks Guessing Passwords

Exhaustive attacks

How long does an exhaustive attack take?

Number of passwords Time per password

How do we control the vulnerability?

Longer passwords (mandatory minimum length) Larger alphabet Slow response (at least on repeated attempts) Limit number of attempts

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 15 / 32

Attacks Guessing Passwords

Exhaustive attacks

How long does an exhaustive attack take?

Number of passwords Time per password

How do we control the vulnerability?

Longer passwords (mandatory minimum length) Larger alphabet Slow response (at least on repeated attempts) Limit number of attempts

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 15 / 32

Attacks Guessing Passwords

Exhaustive attacks

How long does an exhaustive attack take?

Number of passwords Time per password

How do we control the vulnerability?

Longer passwords (mandatory minimum length) Larger alphabet Slow response (at least on repeated attempts) Limit number of attempts

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 15 / 32

Attacks Guessing Passwords

Dictionary attacks

Users cannot remember randomly generated words

They tend to use common words etc.

Hence, dictionaries can speed up the search Controls

Require both upper- and lower-case letters Require special symbols (e.g. punctuation)

But these controls reduce the password space

exhaustive search becomes easier...

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 16 / 32

Attacks Guessing Passwords

Other controls

Password checkers

Simulate an attack: disable detected passwords

Password generation: use computer-generated passwords Expiry dates Change default passwords on default accounts.

A secure product should probably demand a password entered during installation. A security-aware administrator would check that no default password is in use before deployment. If a default password is abused, who’s to blame?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 17 / 32

Attacks Guessing Passwords

Other controls

Password checkers

Simulate an attack: disable detected passwords

Password generation: use computer-generated passwords Expiry dates Change default passwords on default accounts.

A secure product should probably demand a password entered during installation. A security-aware administrator would check that no default password is in use before deployment. If a default password is abused, who’s to blame?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 17 / 32

Attacks Guessing Passwords

If we overdo it...

If the password is too difficult

the user will write it down

If the password has to change often

the user will choose a simpler one

So don’t loose sight of the full picture

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 18 / 32

Attacks Guessing Passwords

If we overdo it...

If the password is too difficult

the user will write it down

If the password has to change often

the user will choose a simpler one

So don’t loose sight of the full picture

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 18 / 32

Attacks Guessing Passwords

If we overdo it...

If the password is too difficult

the user will write it down

If the password has to change often

the user will choose a simpler one

So don’t loose sight of the full picture

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 18 / 32

Attacks Spoofing Passwords

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 19 / 32

Attacks Spoofing Passwords

Spoofing passwords

The conventional password authentication is unilateral How do I know that the computer requesting the password is authorised to do so? Could the password prompt be rogue?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 20 / 32

Attacks Spoofing Passwords

Controls

State number of failed attempts

Attempts not counted indicate foul play ... raise the alarm

Trusted path

CTRL+ALT+DEL under Windows is a secure attention sequence it calls the system to invoke the login screen always use it, even if the login screen appears to be there

Mutual authenticatication

ssh caches host keys, and warns about unknown keys host keys could be distributed securily

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 21 / 32

Attacks The password file

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 22 / 32

Attacks The password file

The UNIX password file

ypcat passwd | head

ii00002:FFT.sa0X6JFtg:138542:13163:Ikpaya Ikpaya:/user/pgt1/ii00002:/usr/local/bin/tcsh php3mm:HoeWG92G08wEU:23705:23300:Mr Michael J Merchant:/user/phradpg/php3mm:/usr/local/bin/tcsh ph41mr:zothpaD8o2gEg:23196:23005:Mr Michael S Rubery:/user/ph43/ph41mr:/usr/local/bin/tcsh gj0006:HIwyd0KZo65Jo:143647:23200:Gareth Jones:/user/phgammast/gj0006:/usr/local/bin/tcsh ees3jm:iin1Yh1VHskP.:13307:13010:Jinming Ma:/user/pgr1/ees3jm:/usr/local/bin/tcsh eep2zl:90hK45skpndt2:13662:13020:Zongyang Luo:/user/ccsrnrpg1/eep2zl:/usr/local/bin/tcsh cs41hi:ALcOsbamD/axA:33299:28154:Mr Hercules Iliopoulos:/user/cs4/cs41hi:/usr/local/bin/tcsh phpc251$:*:70033:979:phpc251$ machine account:/dev/null:/bin/false rj00001:DISABLED2KBPkYbFtgaDk:136711:28156:Richard Jeffery:/user/ug1/rj00001:/sbin/nologin

username : password : uid : gid : real name : home directory : shell Password is ‘encrypted’; using one-way function

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 23 / 32

Attacks The password file

Compromise of the password file

Unencrypted password file: obviously catastrophic

The enemy can learn everything.

Encrypted passwords: how dangerous is this?

allows off-line password search

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 24 / 32

Attacks The password file

Compromise of the password file

Unencrypted password file: obviously catastrophic

The enemy can learn everything.

Encrypted passwords: how dangerous is this?

allows off-line password search

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 24 / 32

Attacks The password file

Compromise of the password file

Unencrypted password file: obviously catastrophic

The enemy can learn everything.

Encrypted passwords: how dangerous is this?

allows off-line password search

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 24 / 32

Attacks The password file

Compromise of the password file

Unencrypted password file: obviously catastrophic

The enemy can learn everything.

Encrypted passwords: how dangerous is this?

allows off-line password search

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 24 / 32

Attacks The password file

Protection Mechanisms

One-way function

Encryption without key y = f(x) can be computed easily x = f −1(y) is not computationally feasible

Salting

Password P; random salt S, C = f(S||C); append salt before encryption. Store S||C; store salt unencrypted. Result: to identical passwords have different salt, and thus different encryption.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 25 / 32

Attacks The password file

Protection Mechanisms

One-way function

Encryption without key y = f(x) can be computed easily x = f −1(y) is not computationally feasible

Salting

Password P; random salt S, C = f(S||C); append salt before encryption. Store S||C; store salt unencrypted. Result: to identical passwords have different salt, and thus different encryption.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 25 / 32

Attacks The password file

Protection Mechanisms

One-way function

Encryption without key y = f(x) can be computed easily x = f −1(y) is not computationally feasible

Salting

Password P; random salt S, C = f(S||C); append salt before encryption. Store S||C; store salt unencrypted. Result: to identical passwords have different salt, and thus different encryption.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 25 / 32

Attacks The password file

Protection Mechanisms

One-way function

Encryption without key y = f(x) can be computed easily x = f −1(y) is not computationally feasible

Salting

Password P; random salt S, C = f(S||C); append salt before encryption. Store S||C; store salt unencrypted. Result: to identical passwords have different salt, and thus different encryption.

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 25 / 32

Closing Words Alternative Approaches

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 26 / 32

Closing Words Alternative Approaches

Alternatives to passwords

Something you know (password) Something you hold (smart card) Who you are (biometric data) What you are (signature (hand-written)) Where you are (‘trusted terminal’)

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 27 / 32

Closing Words Alternative Approaches

An overview

Vulnerabilities are found at every stage of password authentication

Password issue (password management) Weak passwords (dictionary attack) Weak memory: the user writes it down Password entry (spoofing, peeking) Transmission (remote authentication) Time of check to time of use (is it secure in computer memory?)

Security must be addressed at every stage, in

Design, implementation, and human interaction

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 28 / 32

Closing Words User convenience

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 29 / 32

Closing Words User convenience

User convenience

Every service requires authorisation

Access workstation Access network Access printer

Nuisance for the user

Several passwords? Enter password several times

Single sign-on

System caches password. System issues certificate upon first authorisation.

Challenge! Balance security and user convenience. Watch out for this conflict!

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 30 / 32

Closing Words User convenience

User convenience

Every service requires authorisation

Access workstation Access network Access printer

Nuisance for the user

Several passwords? Enter password several times

Single sign-on

System caches password. System issues certificate upon first authorisation.

Challenge! Balance security and user convenience. Watch out for this conflict!

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 30 / 32

Closing Words User convenience

User convenience

Every service requires authorisation

Access workstation Access network Access printer

Nuisance for the user

Several passwords? Enter password several times

Single sign-on

System caches password. System issues certificate upon first authorisation.

Challenge! Balance security and user convenience. Watch out for this conflict!

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 30 / 32

Closing Words User convenience

User convenience

Every service requires authorisation

Access workstation Access network Access printer

Nuisance for the user

Several passwords? Enter password several times

Single sign-on

System caches password. System issues certificate upon first authorisation.

Challenge! Balance security and user convenience. Watch out for this conflict!

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 30 / 32

Closing Words User convenience

User convenience

Every service requires authorisation

Access workstation Access network Access printer

Nuisance for the user

Several passwords? Enter password several times

Single sign-on

System caches password. System issues certificate upon first authorisation.

Challenge! Balance security and user convenience. Watch out for this conflict!

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 30 / 32

Closing Words Exercises

Outline

1

Introduction Background Definitions Password management

2

Attacks Guessing Passwords Spoofing Passwords The password file

3

Closing Words Alternative Approaches User convenience Exercises

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 31 / 32

Closing Words Exercises

Discussion Exercise

[Gollmann 3.7] If you are required to use several passwords at a time, you may consider keeping them in a ‘password book’. A password book is a protected file containing your passwords. Access to the password book can again be controlled through a master password. What are the advantages of such a scheme? What are the disadvantages of such a scheme? Overall, do you think it is a good idea or not?

Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 32 / 32