User Account

All Pages

How much security is lost compared to the traditional method

Assignment Help Computer Engineering
Reference no: EM133499475

Case: Someone recently pointed out to me that Facebook and a few other websites have a rather fascinating feature in their login process: if you inadvertently have caps-lock turned on when entering your password, it will still log you in. For instance, if my password is h0rsebattery, then the system will also log me in if I enter H0RSEBATTERY as my password (but not H0rSeBaTTerY). This got me wondering how they implemented this feature and whether this feature is a security risk.

If Facebook stored each user's password in the clear in their database, it would be easy for them to provide this feature. They could check a password entered into their website against both the stored password and a capslocked-version of the stored password. However, storing passwords in the clear is a major security no-no. Fortunately, Facebook doesn't store passwords in the clear is a major security no-no. (The conventional defense is to store a hash of the password instead of the password P itself. For example, a website might store the hash h(P), where h(.) is a cryptographic one-way hash function. When the user enters a password P', the system hashes it and then compares h(P') against the stored hash. However, with this conventional approach, if you have capslock on when you enter your password, the hashes won't match.)

My next thought was that maybe Facebook has some Javascript running in your browser that tests whether the caps-lock is enabled and, if so, undoes the effect of the capslock key. However, it turns out that this is not the case.

It also occurred to me that maybe Facebook is looking at the username, and if the username is in all capitals, they un-capslock the password before checking it against the hashed version. However, a quick test confirmed that this is not what they are doing: I can still log on with my username in all lowercase but with the capslock enabled when I type the password.

So, this is a bit of a puzzler. It raises an obvious question: is it possible to implement this feature, without major loss of security, and subject to the above constraints (no client-side Javascript, no uppercase/lowercase checks on the username, no passwords stored in the clear in persistent storage anywhere)? More precisely, please answer two variations of this question, for two different scenarios:

  1. On Windows and Linux, capslock reverses the case of all letters. Thus, clOwN becomes CLoWn if you type it with capslock enabled. Can you provide the feature described above for Windows/Linux users without major loss of security? If yes, explain how, and quantify how much security is lost compared to the traditional method of storing the password in hashed form. If no, explain why not.
  2. On Macs, capslock upper-cases all letters. Thus, clOwN becomes CLOWN if you type it with capslock enabled. Can you provide the feature described above for Mac users without major loss of security? If yes, explain how, and quantify how much security is lost compared to the traditional method of storing the password in hashed form. If no, explain why not.

Reference no: EM133499475

Questions Cloud

Will automation eventually cause humans to work less : In 1930, J.M. Keynes predicted the average workweek would decrease to 15 hours due to automation. Will automation eventually cause humans to work less
What format should the cost-benefit analysis : what format should the cost-benefit analysis (CBA) using existing conceptual frameworks look like? As in a table like that shows all pertinent factors
Why is it necessary for an organization : Why is it necessary for an organization to consider its goal from multiple perspectives? Shouldn't making profits on the financial be the only goal?
Determine the shared secret that the parties : Determine the shared secret that the parties (Alice and Bob) arrive at. Show all intermediary calculation steps for both parties separately. Use proper
How much security is lost compared to the traditional method : How much security is lost compared to the traditional method of storing the password in hashed form. If no, explain why not
What data that is collected from you by business : What data that is collected from you by business is concerning and why and Also why do you think it is a concern for privacy by the data collected
Describe these two research methods : describe these two research methods.Explain answer in at least 250 words. Provide at least two academic sources
Provide one example of an endangered species found : Provide one example of an endangered species found in the biome/ecosystem. Briefly discuss the causes of the decline in the species and what is being done
How the leader develops future leaders : How the leader promotes a culture of patient safety and health care quality? How the leader develops future leaders (mentoring) (provide specific examples).

Reviews

Write a Review

Computer Engineering Questions & Answers

  Mathematics in computing

Binary search tree, and postorder and preorder traversal Determine the shortest path in Graph

  Ict governance

ICT is defined as the term of Information and communication technologies, it is diverse set of technical tools and resources used by the government agencies to communicate and produce, circulate, store, and manage all information.

  Implementation of memory management

Assignment covers the following eight topics and explore the implementation of memory management, processes and threads.

  Realize business and organizational data storage

Realize business and organizational data storage and fast access times are much more important than they have ever been. Compare and contrast magnetic tapes, magnetic disks, optical discs

  What is the protocol overhead

What are the advantages of using a compiled language over an interpreted one? Under what circumstances would you select to use an interpreted language?

  Implementation of memory management

Paper describes about memory management. How memory is used in executing programs and its critical support for applications.

  Define open and closed loop control systems

Define open and closed loop cotrol systems.Explain difference between time varying and time invariant control system wth suitable example.

  Prepare a proposal to deploy windows server

Prepare a proposal to deploy Windows Server onto an existing network based on the provided scenario.

  Security policy document project

Analyze security requirements and develop a security policy

  Write a procedure that produces independent stack objects

Write a procedure (make-stack) that produces independent stack objects, using a message-passing style, e.g.

  Define a suitable functional unit

Define a suitable functional unit for a comparative study between two different types of paint.

  Calculate yield to maturity and bond prices

Calculate yield to maturity (YTM) and bond prices

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd