I am writing this report near the conclusion of the second week of this project, and I'll describe in some detail what direction I'm going in and how my research is coming together. I admit that there was a period of time where I was being pulled in two similar but distinct directions during my research; between the broader topic of generic password security as it pertains to large scale data breaches and specific examples of bypassing security to get access onto a Windows/OSX workstation. I've experimented with extracting and hacking login passwords before, and I am still very interested in how viable that can be as a method to bypass security (extracting and cracking password hashes being something of a 'holy grail' of computer security because you don't change anything on the host machine).
I plan to head more towards the general use of password authentication and how it measures up to current attacks. I'll ask and answer the question: 'are we doing enough to strengthen password authentication in light of recent data breaches, and how might authentication change to help alleviate problems that we might be experiencing?'. Two factor authentication (2FA) will likely be a part of that discussion, especially given how that field has been quickly expanding recently (many popular services now use 2FA, helping to ease its entry into mainstream markets).
During the third week I expect to have my sources mostly nailed down and the general idea for the flow of the paper to be thought through. I think that my current pace will prove to be sufficient to complete this project well ahead of schedule if need be; this past week I refined my idea and gathered a few more sources, similar to what I did previously. With my topic nailed down I think that next week I will be able to focus on finding sources generating a rough outline of my research going forward.
I did find some studies that discussed the conflict between password memorability and strength, as well as one that evaluated publicly available password lists to determine how vulnerable they are to attack. I will hopefully be addressing both of these issues, and I expect to find out more over the next few weeks.
No comments:
Post a Comment