Research in to the use of Stack overflow for security

Research in to the use of Stack overflow for security

Purpose

This task forms part of your assessment, the data which you capture will also be used to write a research paper. The use of the data for research purposes is purely voluntary. You will be asked to complete a consent form and will have until the start of semester 2 to withdraw your consent. You may also withdraw or not permit the use of the data you capture to be used in the research, you will not have to giving any reason and doing so will not have any consciences for yourself.

 

This exercise should not take more than an hour to complete and it will be undertaken in the lab during before week 11. There are four tasks in total, they need to be done in sequence and once completed they should not be amended based on the subsequent tasks. It is also vital that tasks 1 to 3 take place before week 11 lecture, and that task 4 be completed after week 11 lecture. Details on how to submit the work will be given later, however it will be collected in prior to the end of semester. You should also submit the work as part of the assessment.

 

You will be asked to conduct some research on Stack Overflow (not other websites), the nature of the research is specifically related to the way passwords are stored for authentication purposes.  This is a very well known area of security and most developers will have had some exposure to creating a secure logon. The research should not encompass the following; TLS/SSL or password strength criteria. It should only be concerned with the way the password will be processed prior to being stored on a database for the purposes of user authentication. This is often described as a ‘cryptographic transformation’, i.e. transforming it from an insecure string into a secure binary format.

The current best practice will be discussed in week 11 therefore it is vitally important that first part of the investigation is done prior to this lecture otherwise it will contaminate the results of this study, and render the results useless. Equally it is important that the last task is done after the security lecture of week 11.

The main purpose of this research is to evaluate the effectiveness of stack overflow in providing a solution to a common security problem, and how prior knowledge affects the effectiveness of searching and finding an appropriate solution. It is therefore important that you capture your usage of Stack Overflow during the investigation.

 

Your job is to find the most appropriate technical solution for the problem of password storage. I will ask you to record the pages you look at on stack overflow (URL) along with information about the usage of the page: (percentage read, whether you fully read the page or skim read the page, and weather you found the page useful and relevant).

The Problem.

Single factor authentication relies heavily on the use of passwords to authenticate users. Although other authentication techniques do exist single factor password authentication is the mainstay of the e-commerce and commercial arena. As previously stated you are not asked to look at the security of the connection between the client and the server(TLS/SSL) and you are not being asked to look at policy such as frequency of password change or criteria for password strength. You are however, being asked to identify the technical solution for the transformation from a clear plain text string into the binary format which will be stored on the database. There are various ‘cryptographic’ transformations that can be used, some are keyed, some are none keyed, and some are reversible while others are not. The purpose is for you to choose the most appropriate cryptographic transformation.

 

The following is a list of tasks you have been asked to complete. Please note some information will be used about your prior experience however no information regarding your name or student ID will be stored. The information is relatively generic and therefore is anonymous in nature.

  • Task A ) Captures information about your background as a developer. Including any industrial experience you have gained.
  • Task B ) Captures any prior knowledge and/or preconceptions you may have regarding password security.
  • Task c) Before the lecture on security. Investigate the problem, capturing information about the pages you look at and proposed solution based on investigation.
  • Task d) After the lecture on security. If you believe you have already chosen an optimal solution you need to write in the section (OPTIMAL SOLUTION ALREADY FOUND) else use stack overflow again and repeat the activity of undertaken in task C.

 

Part A) Your Background

 

  • Where were did you study for your undergraduate Computer Science degree?
  • Obtained in UK.
  • Obtained outside of the UK.
  • Obtained at Northumbria University.

Delete those which are not appropriate.

  • Industrial Experience

Did you do a placement year as part of your degree?

YES    NO   (delete the one which is not appropriate)

How many years industrial experience do you have (including a placement year)?

Full time years : Enter 0 if none.

Part time years : Enter 0 if none.

Please use real numbers not integers.

Click Here to Place your order and Get 100% original paper on any topic done for Your

Part B)

 

Pre-existing knowledge of password security may improve your ability to search and sort for a solution on stack overflow. Therefore, it is important that you state any prior knowledge/preconceptions you have regarding the transformation a string password should go through prior to being saved on a database.

For example, I believe that the password should go through a ……….….. prior to being saved in the database. OR I really have no idea what should be done.

 

 

 

 

 

 

 

 

Part C) Task

 

The problem, passwords are a necessary part of user authentication although other mechanism to exist they are typically not viable for most computer systems and web application. There are a number of different technical solutions to storing password information for the purposes of user authentication.  Your task will be to find which one you believe to be an optimal technical solution, you do not need to code this but you do need to indicate which techniques would be used to store the password securely. The resource you need to use for this task is the popular developer site Stack Overflow. For each page you look at, you need to record the URL and the following information. I expect that there will be a number of pages you will look at before you decide on a solution. Please place them in chronological order of when you viewed then. Starting with the first page at the beginning, add then in chronological order with the final URL and the end.  In case of missing URL or out of sequence documentation of the process, please open your browser history and cut-and-paste the section related to stack overflow at the end of this section.

 

Search Term Used followed by the URLs read under that search term

Way page was read

  • Skim read the page and did not read anything in detail
  • Skim read the page and read some sections in detail
  • Read more than half of the page in detail
  • Read the entire page in detail

Usefulness of page (at the time of reading)

  • Page was very useful
  • Page was moderately useful
  • Page was only partly useful
  • Page was not useful.

Subjective conclusions of the page

  • Trusted the content and opinions on the page
  • Trusted some of the content and opinions on the page
  • Trusted few of the content and opinions on the page
  • Trusted none of the content and opinions on the page.

Please give a few words to explain your subjective judgment of the page.

The following is an example.

Page URL https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
The way page was read

 

A
Usefulness of page D
Subjective conclusions of the page

 

B
Comments on the subjective score The page was only of passing interest and not really relevant to the question.

 

Please copy the following template for each page you look at.

Page URL  
The way page was read

 

 
Usefulness of page  
Subjective conclusions of the page

 

 
Comments on the subjective score  

Task C outcome

From your research above please detail the cryptographic transformation you believe is needed prior to storing the password in the database. You should pick one you would use if developing this functionality for a real client.  If the transformation requires parameters state the parameters required.  You do not have to give code example only information about the cryptographic transformation you would choose and a short sentence or two on why you think this is the best choice.

 

 

 

 

 

 

 

 

 

 

 

Which of the URL was most useful in finding this solution?

 

 

 

Task D

 

This task should be completed after week 11 lecture on cryptography and security.

Having had the lecture, have you already found the optional solution from Task C?

Please delete as appropriate:    YES     NO

 

If you have answered NO then please conduct the same activity as in Task C and find the solution you would use on Stack Overflow.

 

Search Term Used followed by the URls read under that search term

 

Way page was read

  • Skim read the page and did not read anything in detail
  • Skim read the page and read some sections in detail
  • Read more than half of the page in detail
  • Read the entire page in detail

Usefulness of page (at the time of reading)

  • Page was very useful
  • Page was moderately useful
  • Page was only partly useful
  • Page was not useful.

Subjective conclusions of the page

  • Trusted the content and opinions on the page
  • Trusted some of the content and opinions on the page
  • Trusted few of the content and opinions on the page
  • Trusted none of the content and opinions on the page.

Please copy the following template for each page you look at.

Page URL  
The way page was read

 

 
Usefulness of page  
Subjective conclusions of the page

 

 
Comments on the subjective score  

 

Task D outcome

Please detail the cryptographic transformation you would pick for the development of a real commercial based system. You need to outline the

 

 

 

 

 

 

 

 

 

Which of the URL was most useful in finding this solution?

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *