University of Sydney · FACULTY OF COMPUTER SCIENCE

INFO2222 · Computing 2 Usability and Security

- one subject, every graph, every model, every mark
Computer Science14 Chapters8-page Bible
Our own words - no uploaded lecturer files
Updated for this semester
Chapter 8 of 12 · INFO2222

Identification and Authentication

Weeks 7-8 separate identification ('who are you?') from authentication ('prove it'), teach the factor families and multi-factor authentication, and cover how passwords are attacked and defended. Counting hash attempts against a salted database and reasoning about salt vs pepper are frequent 4-mark items, while the factor and attack taxonomies are recall staples.

In this chapter

What this chapter covers

  • 01Identification vs authentication: a claimed identity (unique, recognisable, persistent) vs verifying that claim
  • 02Authentication requirements: proof of identity, binding, resistance to spoofing, timeliness, and privacy
  • 03The three factors — something you know (password/PIN), have (token/phone), are (biometric) — and multi-factor authentication (MFA)
  • 04Online attacks (guessing/brute force against the live system) vs offline attacks (attacker holds the hash)
  • 05Offline attack tooling: dictionary attacks, lookup tables, and rainbow tables (hash chains storing only start and end)
  • 06Salt (unique per user, defeats precomputation) and pepper (a secret kept off the database)
  • 07Slow password hashing (scrypt, Argon2) to make offline guessing expensive; password managers; WebAuthn/passkeys
  • 08Token challenge-response (nonce signed by a private key) and biometrics with fuzzy matching (pros and cons)
Worked example · free

Count hash attempts against a salted password database

Q [4 marks]. An attacker steals a leaked database of U = 150,000 user records, each stored as (unique random salt, digest). Suppose a fraction f = 4% of users chose a password from a public dictionary of D = 2,500 common passwords, and the attacker wants to crack every one of those weak accounts. (a) Why can't the attacker use a single precomputed rainbow table across all users? (b) How many hash computations are required? (c) What single defence would most increase this cost? (4 marks)
  • +1(a) Because each user has a UNIQUE salt, the stored digest is hash(pwd ‖ salt) with a different salt per user. A precomputed table (or rainbow table) built for one salt is useless for another, so no shared precomputation is possible — the attacker must attack each user separately.
  • +1(b) Count the weak accounts: weak = f · U = 0.04 × 150,000 = 6,000 users chose a dictionary password.
  • +1For each weak account the attacker must hash all D dictionary words with that user's salt: attempts = weak × D = 6,000 × 2,500 = 15,000,000 hash computations.
  • +1(c) Use a deliberately SLOW password-hashing function (Argon2, or scrypt) instead of a fast hash: making each of the 15,000,000 hashes expensive multiplies the attacker's time enormously, whereas the honest server pays the cost only once per login.
(a) Unique per-user salts prevent any shared precomputation, forcing per-user work. (b) weak = 0.04 × 150,000 = 6,000; attempts = 6,000 × 2,500 = 15,000,000 hashes. (c) Switch to a slow, memory-hard password hash (Argon2/scrypt) so each hash is costly.
Sia tip — The salt does not stop a dictionary attack on a single weak password — it only removes the attacker's ability to precompute or share work across users, turning one big table into per-user effort. Slowness (Argon2/scrypt) is what makes each of those per-user guesses expensive; a secret pepper kept off the database adds a further barrier.
Glossary

Key terms

Identification vs authentication
Identification is claiming an identity (a username or ID) that must be unique, recognisable and persistent. Authentication is proving that claim, requiring proof of identity, binding of the proof to the identity, spoofing resistance, timeliness and privacy.
Authentication factors
Something you know (password/PIN — widely used but guessable), something you have (token/phone — can be lost or cloned), something you are (biometric — non-revocable, needs hardware). Multi-factor authentication (MFA) combines two or more for greater strength.
Salt
A unique random value added per user before hashing (digest = hash(pwd ‖ salt); store salt and digest). It makes identical passwords hash differently and defeats precomputed tables, but is public, so it does not by itself stop guessing a single weak password.
Pepper
A secret value stored separately from the database (not beside the salt/digest) and mixed into hashing. Even if the whole password database is stolen, an attacker cannot brute-force without also obtaining the pepper.
Rainbow table
A precomputed structure that stores only the start and end of hash chains built with alternating hash and reduction functions, trading storage for lookup time to reverse unsalted hashes. Unique per-user salts render it ineffective.
Slow hashing (Argon2, scrypt)
Deliberately expensive, memory-hard password-hashing functions used so that each offline guess costs an attacker significant time and resources, while the server pays the cost only once per login. Argon2 (Password Hashing Competition winner) is preferred; MD5/SHA-1 are deprecated.
FAQ

Identification and Authentication FAQ

What is the difference between identification and authentication?

Identification is the claim — you assert who you are, e.g. by entering a username, which must be unique, recognisable and persistent. Authentication is the proof — the system verifies the claim, needing proof of identity (something you know/have/are), a secure binding of that proof to the identity, resistance to spoofing, timeliness (recent or session-based), and privacy. Getting authentication right grants the corresponding privilege.

Does adding a salt stop password cracking?

Not on its own. A unique per-user salt defeats precomputed and rainbow-table attacks and stops identical passwords sharing a digest, but because the salt is stored alongside the hash it is public — an attacker can still guess a weak password for one user by hashing candidates with that user's salt. What raises the cost is a slow, memory-hard hash (Argon2/scrypt) and, on top, a secret pepper kept off the database.

Why is multi-factor authentication stronger, and what does it cost?

MFA combines factors from different families — for example a password (know) plus a one-time code on your phone (have) — so an attacker must defeat both, and stealing just a password is not enough. The trade-off is usability: extra steps add friction, and factors have their own weaknesses (tokens can be lost, biometrics are non-revocable and need hardware). Modern phishing-resistant options such as WebAuthn/passkeys aim to keep the strength while reducing the friction.

Can AI help me with authentication topics in INFO2222?

Yes, as a study aid. Sia can check a hash-attempt count against a salted database, explain why salt defeats precomputation but not per-user guessing, contrast salt with pepper, and drill the factor and attack taxonomies. Use it to rehearse the reasoning for the security quizzes and exam; it does not do graded assessment for you, and the University of Sydney academic-integrity policy applies.

Study strategy

Exam move

Drill the salted-database counting logic until the chain is automatic: unique salts remove shared precomputation, so weak accounts = f × U and attempts = weak × D per-user, and slow hashing (Argon2/scrypt) is the cost multiplier. Keep the taxonomies on cards — the three factors and MFA, and the online-vs-offline attack families (guessing, dictionary, lookup table, rainbow table, replay) — with the one-line defence for each. Nail the salt-vs-pepper distinction (salt public and per-user, pepper secret and off-database) because multi-select claim questions turn on it, and remember MD5/SHA-1 are deprecated while Argon2 is preferred. Learn the token challenge-response (sign a nonce) and the biometric fuzzy-matching trade-offs. This chapter connects to the network-security chapter's client/server hashing discussion, so revise them together. Confirm the exam scope on Canvas.

Working through Identification and Authentication in INFO2222? Sia is AskSia’s AI Computer Science tutor — ask any INFO2222 Identification and Authentication question and get a clear, step-by-step explanation grounded in how INFO2222 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.

A+Everything unlocked
Unlocks this Bible + all 38 of your University of Sydney subjects - and 1,000+ Bibles across every Australian university.
Sia - your INFO2222 tutor, unlimited, worked the way the exam marks it
The full 8-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full INFO2222 Bible + 38 University of Sydney subjects解锁完整 INFO2222 Bible + University of Sydney 38 门科目
$25/mo