mirre-mt/masters-thesis
Archived
1
0
Fork 0
Code Releases 1 Activity

tex(theoret.): update how citations are done

Browse Source
This commit is contained in:
surtur 2023-08-18 18:02:20 +02:00
parent f4d5f6b29a
commit c47338f8ad
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 23 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
tex/part-theoretical.tex
View File

@ -162,7 +162,7 @@ to enter an area. The Roman army had a special system of distributing passwords
among the encampment members on a wooden tablet. Fast forward a couple of among the encampment members on a wooden tablet. Fast forward a couple of
thousand years, during the days of the Prohibition Era in the United States, it thousand years, during the days of the Prohibition Era in the United States, it
was the secret ``speakeasies'' that were protecting their illegitimate was the secret ``speakeasies'' that were protecting their illegitimate
alcohol-serving business using passwords~\cite{speakeasy}~\cite{nisthistory}. alcohol-serving business using passwords~\cite{speakeasy}\cite{nisthistory}.
During the World War II.\ the US paratroopers' use of passwords has evolved to During the World War II.\ the US paratroopers' use of passwords has evolved to
even include a counter-password. even include a counter-password.
@ -214,18 +214,20 @@ represents that a password is:
\end{itemize} \end{itemize}
\obr{Short arbitrary password length \obr{Short arbitrary password length
limit~\cite{larsklint}}{fig:arbitrarypasswdlengthlimit}{.8}{graphics/arbitrarypasswdlengthlimit.jpg} limit}{fig:arbitrarypasswdlengthlimit}{.8}{graphics/arbitrarypasswdlengthlimit.jpg}
This is wrong for multiple reasons, and it is a classic example of short The error message in above the password input field depicted in
arbitrary length requirement. It essentially prevents users from using Figure~\ref{fig:arbitrarypasswdlengthlimit} is wrong for multiple reasons, and
passphrases, makes using a password manager impractical and all of that has it is a classic example of short arbitrary length requirement~\cite{larsklint}.
apparently been done ``because of security''~\cite{etihad}. Moreover, this It essentially prevents users from using passphrases, makes using a password
might be an indicative of the fact that instead of storing passwords hashed (as manager impractical and all of that has apparently been done ``because of
it should be), they might be storing them in \textbf{plain text}. security''~\cite{etihad}. Moreover, this might be an indicative of the fact
that instead of storing passwords hashed (as it should be), they might be
storing them in \textbf{plain text}.
Otherwise, what reason could exist for the limit to be 10 characters? Otherwise, what reason could exist for the limit to be 10 characters?
The recommendation of the US's National Institute for Standards and Technology The recommendation of the US's National Institute for Standards and Technology
(NIST) in this regard is a minimum of 64 and a maximum of 256 characters, which (NIST) in this regard is a minimum of 64 and a maximum of 256 characters,
should be sufficient for most users' needs. which, as they put it, \emph{should be sufficient for most users' needs}.
\n{3}{Restricting special characters} \n{3}{Restricting special characters}
@ -235,20 +237,21 @@ used to protect privileged access. Ways of achieving the same may vary but the
intent stays the same: preventing users from inputting characters into the intent stays the same: preventing users from inputting characters into the
system, which the system cannot comfortably handle, for ``reasons'', which are system, which the system cannot comfortably handle, for ``reasons'', which are
usually something dubious along the lines of ``an apostrophe may be used in SQL usually something dubious along the lines of ``an apostrophe may be used in SQL
injection attacks'' or ``angle brackets may be used in XSS attacks''. Instead injection attacks'' or ``angle brackets may be used in XSS attacks''. Instead,
the real message it announces is pointing right to the serious shortcomings of the real message it often unwittingly announces is pointing right to the
password handling of the site in question, as passwords should never be serious shortcomings of password handling of the site in question, as passwords
re-displayed in a context that is prone to Cross Site Scripting (XSS), and the should never be re-displayed in a context that is prone to Cross Site Scripting
passwords should always be hashed before being sent to the database anyway, (XSS), and the passwords should always be hashed before being sent to the
leaving us with only alphanumeric characters, rendering the SQLi fears database anyway, leaving us with only alphanumeric characters, rendering the
baseless. SQLi fears baseless.
\obr{Forbidden special characters in \obr{Forbidden special characters in
passwords~\cite{forbiddencharacters}}{fig:forbiddencharacters}{.8}{graphics/forbiddencharacters.jpg} passwords}{fig:forbiddencharacters}{.8}{graphics/forbiddencharacters.jpg}
Note that ``Passw0rd!'' would have been a perfectly acceptable password for the Note that ``Passw0rd!'' would have been a perfectly acceptable password for the
validator displayed in Figure~\ref{fig:forbiddencharacters}. validator displayed in
NIST's recommendations on this are that all printing ASCII~\cite{asciirfc20} Figure~\ref{fig:forbiddencharacters}~\cite{forbiddencharacters}. NIST's
recommendations on this matter are that all printing ASCII~\cite{asciirfc20}
characters as well as the space character SHOULD be acceptable in memorized characters as well as the space character SHOULD be acceptable in memorized
secrets and Unicode~\cite{iso10646} characters SHOULD be accepted as well. secrets and Unicode~\cite{iso10646} characters SHOULD be accepted as well.