04-03-2025

Password

Digital Identity
● Digital Identity is the unique representation of a subject engaged in an online/offline
transaction. A digital identity is always unique in the context of a digital service but
does not necessarily need to be traceable back to a specific real-life subject.

● As the world becomes increasingly digitized, the next generation of ID systems use
new technologies to provide digital proof of legal identity for a person and
transactions.
● Digital ID can help achieve multiple development goals such as financial and
economic inclusion, social protection, healthcare, education, social services, pension
payments, banking, employment, property rights, voting, etc.
● A person could have many digital identities, some overlapping, some contradictory.

● Identity Proofing establishes that a subject is actually who they claim to be. This
concept relates to KYC concepts and aims to bind a digital identity with a real person.

1
 04-03-2025

Identification and authentication

● Identification is the ability to identify uniquely a user, a system, a entity or an
application.
● Authentication is the ability to prove that a user or application is genuinely who that
person or what that application claims to be.

● For example, consider a user who logs on to a system by entering a user ID and
password.
○ The system uses the user ID to identify the user.

○ The system authenticates the user by checking the supplied password.

● Identification and authentication is a two way process.

• Feistel, Notz, and Smith [Feis75] describe a login

procedure that does not expose the user's password,
and allows the user and system to mutually
authenticate each other.
• They assume each user A has a private key on some
digital storage medium
• “Challenge-reply" test that allows A to determine
whether the communication is "live" (and not a replay
of an earlier login), and allows the system to establish
A's authenticity.

2
 04-03-2025

• Password is a one way cipher/function

• Improvements were made to the UNIX password security.
• First, the password entry program was modified to encourage users to
use longer passwords.
• Second, each password is concatenated with a 12-bit random number
(called the salt) before encryption, effectively lengthening the password
by 12 bits.
• When a password P is created, a salt X is generated and concatenated
to P. Letting PX denote the concatenation, both X and f(PX) are stored
in the password file along with the user's ID.
• When a user logs in, the system gets X from the file, forms the
concatenation PX using the password P supplied by the user, and
checks f(PX) against the password file.

3
 04-03-2025

Hashing Password for Storage

• When a user creates a password, it's not stored as plain text. Instead, it
goes through a one-way hashing function.
• A cryptographic salt (random string) is generated and combined with the
password before hashing.
• Both the resulting hash and the salt are stored in the database.
• Let's say: p = original password (plaintext)
s = random salt
h() = cryptographic hash function
H = final stored hash
|| = concatenation operator

Password validation

• When a user tries to log in, their entered password is combined with the
stored salt.
• This combination goes through the same hashing function.
• The resulting hash is compared with the stored hash.
• E.g. Given an entered password p', we check:

• If the relation is true, the access is granted.

4
 04-03-2025

Example
1. Given password p = "abc“
2. ASCII values: a=97, b=98, c=99
3. Generate random salt s = 7
4. Multiplies by salt
5. Takes modulo 1000
6. Hash calculation:
• Storage in database: Salt (s) = 7 Hash (H) = 58
• Validation: If p’=“abc”,

Property

• One-way transformation (impossible to reverse)

• Avalanche effect (small input change causes large output change)
• Collision resistance (hard to find two inputs with same hash)

10

5
 04-03-2025

Salting benefits
1. Individual Password Security:
• Adding salt doesn't make it harder to crack a specific user's password
• This is because the salt is stored openly alongside the hash
• Think of it like adding a known number to a combination lock - if someone
knows the number, it doesn't make the lock stronger
2. Bulk Password Cracking Prevention:
• For attacking multiple passwords at once, salting makes it much harder
• Without salt: One password guess can be compared against all user
accounts at once
• With salt: Each password guess must be hashed with each user's unique
salt
• Mathematical impact: With n-bit passwords and 12-bit salts:
• Total possible hash combinations = 2(n+12)
• Makes bulk cracking 212 (4,096) times more difficult

11

12

6
 04-03-2025

13

14

7
 04-03-2025

15

16

8
 04-03-2025

17

Version 1.0 Slide 13- 18

18

9
 04-03-2025

19

20

10
 04-03-2025

21

22

11
 04-03-2025

Flaw in password creation

Email hacked or not? https://haveibeenpwned.com/

➢ Exploiting flaws in method of authentication.

➢ Using passwords that are weak or easy to guess. One in six people uses the
names of their pets as their passwords, making them highly predictable.
➢ These passwords tend to be reused across multiple sites, with one in three
people (32%) having the same password to access different accounts.

● Remedy for this taking steps like implementing robust multi-layer

authentication.

23

Password-cracking techniques used by hackers

➢ Phishing
➢ Social engineering
➢ Malware
➢ Brute force attack
➢ Dictionary attack
➢ Mask attack
➢ Rainbow table attack
➢ Network analysers
➢ Spidering
➢ Offline cracking
➢ Shoulder surfing

24

12
 04-03-2025

Phishing

Phishing is a type of social engineering where an attacker sends a fraudulent

(e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person
into revealing sensitive information to the attacker or to deploy malicious software
on the victim's infrastructure like ransomware.

Emails from supposed princes in Nigeria looking for an heir, or firms acting on
behalf of wealthy deceased relatives.

You have won a lottery

Eg. https://sbi.co.in/web/personal-banking/phishing

25

Social engineering
A common tactic is for hackers to call a victim and pose as technical support,
asking for things like network access passwords in order to provide assistance.

Eg. A call center employee asking you for outstanding tax in your account.

26

13
 04-03-2025

Malware
Keyloggers, screen scrapers, and a host of other malicious tools all fall under the
umbrella of malware, malicious software designed to steal personal data.

Alongside highly disruptive malicious software like ransomware, which attempts to

block access to an entire system

27

Brute force attacks

Number of different methods of hacking that all involve guessing passwords in
order to access a system.

Simply guessing a person’s password based on relevant clues

Credential recycling, for example, relies on the fact that many people reuse their
passwords

Reverse brute force attacks involve hackers taking some of the most commonly
used passwords and attempting to guess associated usernames.

28

14
 04-03-2025

Dictionary attack
The dictionary attack is a slightly more sophisticated example of a brute force
attack.

Many people will use memorable phrases as passwords

Automated process of feeding a list of commonly-used passwords and phrases

into a computer system until something fits.

Most dictionaries will be made up of credentials gained from previous hacks,

although they will also contain the most common passwords and word
combinations.

29

30

15
 04-03-2025

31

Mask attacks
Where dictionary attacks use lists of all possible phrase and word combinations,
mask attacks are far more specific in their scope, often refining guesses based on
characters or numbers – usually founded in existing knowledge.

For example, if a hacker is aware that a password begins with a number, they will
be able to tailor the mask to only try those types of passwords.
Password length, the arrangement of characters, whether special characters are
included, or how many times a single character is repeated are just some of the
criteria that can be used to configure the mask.

32

16
 04-03-2025

Rainbow table attack

Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or
a cryptographic alias, making it impossible to determine the original password without
the corresponding hash.
Hackers maintain and share directories that record passwords and their corresponding
hashes, often built from previous hacks, reducing the time it takes to break into a
system (used in brute force attacks).
Rainbow tables go one step further, as rather than simply providing a password and its
hash, these store a precompiled list of all possible plain text versions of encrypted
passwords based on a hash algorithm. Hackers are then able to compare these
listings with any encrypted passwords they discover.

33

Network analysers
Network analysers are tools that allow hackers to monitor and intercept data packets
sent over a network and lift the plain text passwords contained within.

Such an attack requires the use of malware or physical access to a network switch.

Businesses can use these same tools to scan their own networks, which can be
especially useful for running diagnostics or for troubleshooting. Using a network
analyser, admins can spot what information is being transmitted in plain text, and put
policies in place to prevent this from happening.

The only way to prevent this attack is to secure the traffic by routing it through a VPN

34

17
 04-03-2025

Spidering
Spidering refers to the process of hackers getting to know their targets intimately in order to
acquire credentials based on their activity. The process is very similar to techniques used in
phishing and social engineering attacks, but involves a far greater amount of legwork.

For example, if the target is a large company, hackers may attempt to source internal
documentation, such as handbooks for new starters, in order to get a sense of the sort of platforms
and security the target uses. It’s in these that you often find guides on how to access certain
services, or notes on office Wi-Fi usage.

It’s often that companies will use passwords that relate to their business activity or branding in
some way - mainly because it makes it easier for employees to remember. Hackers are able to
exploit this by studying the products that a business creates in order to build a hitlist of possible
word combinations, which can be used to support a brute force attack.

35

Offline cracking
Offline hacking usually involves the process of decrypting passwords by using a
list of hashes likely taken from a recent data breach.

Most systems place limits on the number of guesses allowed before an account is
locked.

Captcha is used to restrict access.

SQL injection attack may gain privilege access to the system.

Password on sale by a former employee.

36

18
 04-03-2025

Shoulder surfing
Examples of this include hackers disguising themselves in order to gain access to
company sites and looking over the shoulders of employees to grab sensitive
documents and passwords.

WhatsApp hacking

Gaining access using Bluetooth

37

38

19
 04-03-2025

39

40

20
 04-03-2025

One-Time Passwords

• Password that can be used exactly once

• After use, it is immediately invalidated
• Challenge-response mechanism
• Challenge is number of authentications; response is password for that particular
number
• Problems
• Synchronization of user, system
• Generation of good random passwords
• Password distribution problem

41

Hardware Support

• Token-based
• Used to compute response to challenge
• May encipher or hash challenge
• May require PIN from user
• Temporally-based
• Every minute (or so) different number shown
• Computer knows what number to expect when
• User enters number and fixed password

42

21
 04-03-2025

Approaches: Password Selection

• Random selection
• Any password from A equally likely to be selected
• Pronounceable passwords
• User selection of passwords

43

Random Passwords

• Choose characters randomly from a set of possible characters; may also

choose length randomly from a set of possible lengths
• Expected time to guess password maximized when selection of characters
in the set, lengths in the set, are equiprobable
• In practice, several factors to be considered:
• If password too short, likely to be guessed
• Some other classes of passwords need to be eliminated, such as repeated patterns
(“aaaaa”), known patterns (“qwerty”)
• But if too much is excluded, space of possible passwords becomes small enough to search
exhaustively

44

22
 04-03-2025

Generating Random Passwords

• Random (pseudorandom) number generator period critical!

• Example: PDP-11 randomly generated passwords of length 8, and
composed of capital letters and digits
• Number of possible passwords = (26 + 10) = 36 = 2.8×10
8 8 12

• Took 0.00156 to test a password, so would take about 140 years to try all
• Attacker noticed the pseudorandom number generator on PDP-11, with
word size of 16 bits, had period of 216 – 1
• Number of possible passwords = 2 – 1 = 65,535 = 6.5×10
16 4

• Took 0.00156 to test a password, so would take about 102 seconds to try all
• When launched, found all passwords in under 41 seconds

45

Remembering Random Passwords

• Humans can repeat with perfect accuracy 8 meaningful items

• Like digits, letters, words
• Write them down
• Put them in a place where others are unlikely to get to them
• Purse or wallet is good; keyboard or monitor is not
• Write obscured versions of passwords
• Let p ∈ P be password; choose invertible transformation algorithm t: P → A
• Write down t–1(p) but not t
• Now user must memorize t, not each individual password
• Use a password manager (password wallet)
• Now must remember password to unlock the other passwords

46

23
 04-03-2025

Pronounceable Passwords

• Generate phonemes randomly

• Phoneme is unit of sound, eg. cv, vc, cvc, vcv
• Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not
• Problem: too few
• Solution: key crunching
• Run long key through hash function and convert to printable sequence
• Use this sequence as password
• Bigger problem: distribution of passwords
• Probabilities of selection of particular phonemes, hence passwords, not equiprobable
• Generated passwords tend to cluster; if an attacker finds a cluster with passwords
user is likely to select, this reduces search space greatly

47

User Selection

• Problem: people pick easy to guess passwords

• Based on account names, user names, computer names, place names
• Dictionary words (also reversed, odd capitalizations, control characters, “elite-speak”,
conjugations or declensions, swear words, Torah/Bible/Koran/… words)
• Too short, digits only, letters only
• License plates, acronyms, social security numbers
• Personal characteristics or foibles (pet names, nicknames, job characteristics, etc.

48

24
 04-03-2025

Picking Good Passwords

• “WtBvStHbChCsLm?TbWtF.+FSK”
• Intermingling of letters from Star Spangled Banner , some punctuation, and author’s initials
• What’s good somewhere may be bad somewhere else
• “DCHNH,DMC/MHmh” bad at Dartmouth (“Dartmouth College Hanover NH,
Dartmouth Medical Center/Mary Hitchcock memorial hospital”), ok elsewhere
(probably)
• Why are these now bad passwords?

49

Passphrases

• A password composed of multiple words and, possibly, other characters

• Examples:
• “home country terror flight gloom grave”
• From Star Spangled Banner, third verse, third and sixth line
• “correct horse battery staple”
• From xkcd
• Caution: the above are no longer good passphrases

50

25