Posted: February 4th, 2015

Assessing Password Security

Paper, Order, or Assignment Requirements

 

 

CNET 232 Coursework Assignment 2014

 

Assessing Password Security

 

 

Aims:                    To improve your understanding of systems security and the limitations that can occur in practice.

 

Task:                              Research and analyse the use of password security in the context of websites, assessing the extent to which they are following and encouraging good practice.

Background

 

Despite the various weaknesses that have been observed and documented over the years, user authentication continues to be dominated by password-based mechanisms. This is particularly true on websites, where they represent an approach that users can be guaranteed to be able to use from any type of device without any prerequisites in terms of additional hardware (e.g. as would be the case if tokens or certain biometric methods were to be used). However, the password requirements imposed by many websites appear to be rather limited, and in many cases they do not satisfy the good practice guidelines that users would often be encouraged to follow elsewhere.

 

The task

 

Your task in this assignment is to conduct a study of password authentication on websites and to assess the extent to which good practice is being followed and encouraged.

 

• Identify, justify and explain the criteria against which you will conduct your evaluation (i.e. what would you expect sites to do in order to encourage and/or ensure good password practice amongst their users?).
• Select and justify three websites that you will use as your candidates for the evaluation. In each case you should be able to present a rationale for why the site was chosen. Clearly, in order to be able to apply your criteria in relation to password practices, each candidate site should use password-based authentication (as such, sites such as online banking, that use non-traditional login mechanisms, are unlikely to be suitable).
• Perform and document an evaluation of your chosen sites’ password practices and determine the extent to which they are compliant with your proposed criteria.
• Discuss the implications of your findings in a written report, including any recommendations (in general or site-specific) arising from your study.

 

Your main report should clearly explain your chosen criteria and websites, plus the methodology adopted for the evaluation (i.e. the process by which you went about testing the criteria on each of the sites). It should also present the details of your findings and a discussion of their implications.

 

Your report should begin with an Executive Summary, of no more than one page in length (in 12pt font), which outlines and summarises the key process, findings and recommendations from your study.

 

You should give appropriate consideration to the presentation and structure of your report. Marks will be gained for including appropriate introduction and concluding sections, as well as for appropriate use of figures and tables that can usefully accompany and support the text.

 

 

Important note

 

Please note that in performing the evaluation of the sites, you are NOT being asked to probe or break the security of their password mechanisms, or to perform any other form of activity that could constitute an attack against them.   You can undertake the evaluation using entirely legitimate means, by looking at what the sites provide and (where necessary) creating or using your own user accounts on them.

 

Report assessment criteria

 

Executive Summary                                                                                       10%

Selection and justification of evaluation criteria                                             20%

Explanation of website choices and evaluation methodology                        20%

Analysis and discussion of findings                                                    40%

Report presentation and clarity                                                                       10%

 

 

The overall length of the submission (excluding any appendices) should not exceed 3,500 words.

 

The report is worth 70% of the overall mark for the module.

 

 

Threshold Criteria (please note that these are indicative only)

 

• To achieve a pass (40%+) you must discuss the topic, present basic factual evidence in of your approach and findings.

 

• To achieve a 2.2 mark (50%+), you must present a descriptive account of your approach and some baseline discussion that considers the findings.

 

• To achieve a 2.1 mark (60%+), you must present a fully justified account of your approach and at least some level of critical analysis in the discussion of your findings.

 

• To achieve a 1st class mark (70%+), you must conduct a thorough review and full analysis of the topic, presenting a clear and fully considered method, and a set of fully analysed findings.

 

 

Submission

 

Deadline:        12pm (i.e. midday) on 12^th December

 

Note:

 

• You must submit your coursework via the DLE. Coursework must be submitted by the specified deadline.
• You should give due consideration to your personal time management to ensure that coursework is submitted in plenty of time prior to the deadline.
• Coursework can be submitted at any time ahead of the deadline.
• Please note that work submitted late without valid extenuating circumstances will be penalized. Work submitted within 24 hours after the deadline will receive a mark, but it will be capped at the normal pass mark for that module. Work submitted more than 24 hours after the official deadline will receive an automatic mark of zero.