Software Engineering Exercise
You are responsible for a software component for user authentication. Specifically, checking whether a user's password is correct. What factors do you need to consider?
Factors To Consider
This is a modern system, so it needs to be fully multilingual. ASCII is not acceptable.
Password Storage
If the hardware or environment offers some form of secure storage, that can be used to store the sensitive information. Classical multi-user operating systems were designed for scenarios where such secure storage was not generally available, so they typically store salted hashes of the passwords rather than the passwords themselves. This makes it computationally expensive (hopefully infeasible) to determine the stored passwords if the storage medium itself is exfiltrated.
Any beginner-level textbook on software security will cover the specifics of this topic.
Timing Attacks
Any computationally expensive operation (such as encryption and one-way hash functions) can be vulnerable to timing attacks. Most software and the hardware used to execute it are optimized for speed of execution. If an operation can be shown to be unnecessary, it will be skipped. In security applications, this can be a real problem because an attacker can submit many requests with varying data and time how long it takes for the answer to be returned, and use this along with knowledge of the specific algorithm being run to estimate which branches were taken, which can help narrow the search space significantly.
A simple counter is to make the operation always consume the same amount of time regardless of the outcome. For example, set a timer for one second, do the work to check the password, then wait until the timer expires before returning the result.
Advanced security textbooks would certainly cover this topic. Note that this only handles in-process timing attacks, side channel attacks are a separate issue that must be addressed differently.
Multi-Lingual Text
Suppose I want my password to be, "The naïve mice are nice." First, we need to make sure that the string type allows the character that is not simple ASCII. We could specify the API to accept UTF-8 or UCS-2 or something. But that is only the beginning. How do we know whether that "ï" is a precomposed character or created using combining diacritics? While both of those possibilities will render identically in the UI, they are fundamentally different data and will result in a password mismatch even though the user entered the correct sentence with the correct spelling. We are only responsible for the password authentication, the user interface is outside of our control and so we cannot depend on any particular behavior by the UI.
We will need to apply Unicode normalization to the input string for every request, and just provide an effusive apology for any user that enters their password using katakana when the stored password is in hiragana.
Biometrics
Biometrics suck. Never use biometrics for security. No exceptions, no excuses.