## Homework 3

This homework is focused on passwords, mobile security, and web privacy.

### Overview

• Due Date: Friday, May 29, 5pm
• Group or Individual: Do this assignment as an individual. You may talk with others in advance of actually doing the assignment subject to the guidelines in the syllabus.
• How to Submit: Submit a PDF to the Catalyst dropbox: https://catalyst.uw.edu/collectit/dropbox/franzi/35015. Your assignment does not need to be entirely typed / developed with computer software. You could hand-write your assignment, and hand-draw some diagrams, and then submit a PDF scan of your hand-written assignment. Please make sure that any handwritten responses are legible.
• Total Points: 30

### Questions

Q1 (3 points)
The following is the output of the crypt() password hashing function under a departmental Linux machine (e.g., attu):

\$5\$CSE484\$Con9vulSyvxyDhS6D91VJHPluwhzntp0Pzq7kexqGQA

The password is one of the following words. Which word is it?

• aardvark
• aardvarks
• aardwolf
• aardwolves
• Aaren
• Aargau
• aargh
• Aarhus
• Aarika
• Aaron

Q2 (3 points)
What is the entropy (rounded to the nearest whole number) of Passfaces with a random system-generated password that is five faces long (where each grid has 9 faces)? Recall that entropy is the bit-strength of a password, e.g., a random system-generated 8-character password composed of upper and lower case letters has approximately 46 bits of entropy.

Q3 (3 points)
Explain the purpose of a salt in password hashing.

Q4 (3 points)
Investigate how to turn on two-factor authentication for one of your favorite sites (Gmail, Facebook, ...). Then answer this question: would you / do you like this feature or not, and why? (Since some of you may not like this feature, we are not actually asking you to start using it -- just to investigate how you might start to use it.)

Q5 (4 points)
From a security perspective, how do mobile platforms like Android and iOS differ from traditional desktop operating systems?

Q6 (5 points)
Mobile platforms like Android and iOS ask users to make decisions about which permissions to grant applications (e.g., location, camera, network, etc.). Compare and contrast the time-of-use prompt (iOS) and install-time manifest (Android) models for permission granting. (Note: Android just changed its model to use iOS-style prompts! Please answer this question according to the "traditional" Android design, but feel free to offer your opinion on this switch.)

Q7 (3 points)
Explain (perhaps with a diagram) how an advertiser can use a browser cookie to track a user across sites.

Q8 (6 points)
Experiment with an anti-tracking browser add-on, such as Ghostery, Lightbeam, or Privacy Badger. Pick three websites (e.g., www.cnn.com, www.facebook.com, and www.weather.com -- though you may pick any sites), visit them with the add-on installed, and report on what you find. How many trackers are on each site? Can you think of ways to improve the add-on you tried? Does anything surprise you?