This lecture covers the three approaches to user authentication: something you know (PIN, password, etc), something you have (physical security token) and something you are (biometrics). We focus on passwords, since they are currently the most common approach. We consider the theoretical level of security achievable with passwords and contrast this with the reality. We discuss various attacks against passwords and look at how stolen password hashes can be cracked.

• Lecture video
• Slides (PDF)
• Exercises:
  • Password Hashing
  • Password Cracking Tools
• Other resources:
  • XKCD on password strength
  • YouTube video on KeySweeper, an example of keystroke logging hardware
  • DataBreaches.net: reports on the latest breaches
  • Have I Been Pwned (HIBP): checks if your accounts have been compromised in data breaches
  • A nice 2FA solution: YubiKey
  • BioStar 2 biometric data breach