A number of online banking systems send a limited lifetime PIN to your smartphone for you to be able to authenticate yourself to the bank.
Thread modeling of the password method
– guessing the password for a given user allows impersonation
– impersonating a real login program
– Keylogging to steal a passdword
Importance of a Trusted Path
Hardware/OS must provide a trusted path:
– Windows CNTL-ALT-DEL
– Keyboard and display must have trusted paths to OS
– Special kind of display under OS control
– Do users pay attention?
Store a list of passwords, one for each user in the system file.
– The file is readable only by the root/admin account
– What if the permissions are set incorrectly?
– Why shold admin know passwords?
– if security is breached, the passwords are exposed to attacker.
Use a one-way hash function and store the result
The password file is readable only for root/admin