This scenario involves the password-based type of authentication. Passwords exist in the form of letters, numbers, or special characters. However, they are prone to phishing and password attacks. Today, users have different accounts and have a lot of passwords to remember. As a result, users choose convenience over security, and they end up using weak passwords that are easy to remember. If Alice sends a plain password to Bob, an intruder may use it maliciously to obtain confidential information from the database. Also, attackers may target the plain passwords stored in the database (Mohammed et al., 2017).

As Kamal (2019) states, plain passwords are protected through hashing. Hashing involves turning a password into a different string of letters and numbers using an encryption algorithm or cryptographic hash function. This method is effective because it is an irreversible one-way function. This way, if the database is hacked or an intruder accesses it, they cannot read the actual password. Also, Alice can hash it before sending it over the network, or the system should incorporate an automatic hashing function when the user keys in the plain password.

Alice sending a plain password to Bob makes the password susceptible to phishing as well. Even though Bob hashes it and compares it to a list of hashed passwords, an intruder may be listening through the transmission channel.

Like the previous scenario, the most appropriate solution is hashing the password before sending it over the network or channel. The organization should include a hashing function to encrypt the password at the user’s end (Kamal, 2019).

Alice computes the hash of a password and uses it as secret key in challenge/response protocol.

Hashing passwords has been effective in protecting stored and passwords sent over a communication network. However, hackers can also crack hashes if the hacker has a hash dump. Dumped hashes can be cracked using brute-force or dictionary attack.

To solve this, confidentiality at the application and transport level can be implemented. The scan2pass system model suggested by Zmezm et al. (2018) can be implemented here. The model first involves protecting the sensitive data and encryption key transmitted through the communication channel. Second, a key derivation function is used to extend the key space length of Alice’s password. Extending the key space to 256 bits prevents brute-force and dictionary attacks. Finally, mutual authentication between the entities is done through multi-factor techniques. The Quick Response Code (QR code) computes an OTP for the user and server during the challenge/response protocol.

 Alice computes the hash of a password and sends it to Bob, who hashes it and compares it against a database of doubly-hashed passwords.

Hashing a password does not entirely secure it. Hashing it twice creates an iteration that makes it more difficult for an attacker to try it against the hash dump. However, the stored passwords are still prone to dictionary and brute-force attacks if the attacker spends more time on them. Also, if the attacker had already cracked Alice’s hashed password due to the lack of iteration, cracking the double-hashed password in the database would take less time.

Solving this requires using salted hashes. Karrar et al. (2018) define a salted hash as a random string that appends or prepends the user’s original password before using the cryptographic hash function. The technique can also include swapping, reordering, or rearranging the user’s plain password before hashing and storing it.