Advanced Cyber Security 2022

International School of Management and Technology

Tinkune, Gairigaun, Kathmandu

ASSIGNMENT

Advanced Cyber Security

Submitted by: Module tutor:

NAME: Arbin Shrestha Roshan Kandel

SECTION: ‘B’ L6

EMAIL: [email protected]

Student_ID: 219464961

1
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Table of Contents
Part 1......................................................................................................................................................3

System design.........................................................................................................................................3

Report.....................................................................................................................................................3

Introduction........................................................................................................................................3

Captcha and password........................................................................................................................3

Codes and screenshots for captcha and password..............................................................................4

Additional security features................................................................................................................7

Critical review....................................................................................................................................9

Conclusion..........................................................................................................................................9

References............................................................................................................................................10

2
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Part 1
Report
Introduction
In the making of the login system secure there are the use of the different approach like the use of the
strong password, use of the captcha and others. In any system in the web, we have the login system
and there we could find many vulnerabilities like the use of site from the bot, password attack, cross
site scripting, SQL injections and others. For the securing of the website from the bot which causes
DDOS and other we use the CAPTCHA (Completely Automated Public Turing Test To tell
Computers and Humans Apart) and use the best password in the system from the user to use.

Captcha and password

In the securing of my login system there is the use of reCAPTCHA which use image captcha among
the different captcha like text captcha, audio captcha and others. In the comparison of three captchas
by (Yang Zhang, 2019) they concluded that the image captcha is good to use because of its better
safety, usability and mobile deployment than the text captcha and audio/video captcha. The image-
based captcha has higher accuracy, security and operation as they need to visualize and tick the
images. The image captcha is introduced to eliminate the problem of before captcha like text
captcha, video captcha as they are not comfortable to read, take high bandwidth, storage for use
(SINGH, 2014). According to (Xiaojiang Zuo, 2022) they got the reCAPTCHA better as it takes
more time to different AI models to crack than text captcha and recommended reCAPTCHA to
increase frequency for betterment. In the image-based captcha there have been the use of the
selection-based captcha in my system which is widely used nowadays where the user selects the
image according to the tips they give. In this reCAPTCHA the google verify the user if he/she has
already solved the captcha challenge successfully or not by the use of the cookies. If the captcha is
not solved before then the image captcha challenge appears (Dylan Wang, 2020). This makes the
website secure from the bot which might cause the DDOS attack and affect the whole web server.

The password-based authentication is one of the mostly used authentication specially for the online
authentication and the hard disk encryption. All of the password can be cracked by the use of the
Brute force attack but the time might be different for the different password to be cracked. It depends
upon the composition of the password or the strength of the password (Maximilian Golla, 2018).
According to (Richard Shay, 2010), they calculated the entropy of the password by using heuristic
algorithm in which they got the entropy of 31.01 in which the entropy of length is 2.68, numbers is
7.29, symbols is 5.94, uppercase is 5.28 and lowercase is 9.82 which is compared to the guideline of
NIST. This shows that there must be the higher length/minimum length, use of the numbers,

3
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

symbols/special characters, uppercase, lowercase for the making of the strong password or to have
higher entropy. And also suggested to have the dictionary check which makes us aware to not to use
the dictionary words. Also according to (Patrick Gage Kelley, 2012) they make the group of people
using different password who use the 8, 16 character password and other. From the password
guessing algorithm and entropy estimates they conclude that the password composition would be
better to use the blacklist which is the group which use the password which have at least 8
characters, not contain dictionary words, have special characters, uppercase. Also they say better to
use the password of 16 character but could be difficult for the users to remember. The frequency of
the change of password mustn’t be used in the password security from NIST guideline as the
password could be weaker on frequent changing of password.

Codes and screenshots for captcha and password

The codes and UI used for the login which have password authentication and reCAPTCHA are as
follows:

Fig. reCAPTCHA’s image captcha UI

4
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Fig. Verified reCAPTCHA

Fig. reCAPTCHA code (loginarbin\register.php on line 81 to line 106)

5
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Fig. reCAPTCHA code (loginarbin\register.php on line 200)

Fig. UI to have password

6
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Fig. Password with strength validation (loginarbin\register.php on line 21 to 41 and line 67 to line
76)

Additional security features

In the additional features for the security there is the use of email verification in my system. The user
needs to verify their email for the registering and to be able to login, there is the encryption of
password in database for its security.

Figure. Code for the use of MD5 (loginarbin\register.php line 34)

Fig. Hashing of the password using MD5

In the hashing of password, I used MD5 which save the password in hash form in database.

7
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Fig. Email verification code (\loginarbin\register.php line42 to line 70)

Fig.

Fig. Verification link in email

In the process of registering of the user we need to verify using mail as the verification link is sent to
the client mail and then they need to verify it by clicking the link from where they can have login.

8
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

Fig. UI after the verification

When we click the link to verify, we see the UI like this.

Critical review
I think this is better to use the reCAPTCHA by the google because of its use of the image captcha in
it. The image captcha is better because of the mobile deployment, accuracy, operation and security.
In the similar way the password policy to use the minimum length, special characters, uppercase,
lowercase will make the password strong. This policy would really be strong as it would be difficult
to crack for the most of the password algorithms.

Conclusion
From this we can conclude that it’s better to use the reCAPTCHA to save from the bot attacks, use of
the better policy in the password to make it strong.

9
Arbin Shrestha (BSc (Hons) / 2nd trimester)
 Advanced Cyber Security 2022

References
Dylan Wang, M. M. T.-S. M., 2020. 2020 14th International Conference on Ubiquitous Information
Management and Communication (IMCOM). Using Deep Learning to Solve Google reCAPTCHA,
pp. 1-5.

Maximilian Golla, M. D., 2018. On the Accuracy of Password Strength Meters. On the Accuracy of
Password Strength Meters, pp. 1567-1582.

Patrick Gage Kelley, S. K. M. L. M. R. S. T. V. L. B. N. C. L. F. C. a. J. L., 2012. Symposium on

Security and Privacy. Measuring password strength by simulating password-cracking algorithms,
pp. 523-537.

Richard Shay, S. K. P. G. K. P. G. L. M. L. M. L. B. N. C. L. F. C., 2010. Symposium on Usable

Privacy and Security. Encountering Stronger Password Requirements: User Attitudes and
Behaviors.

SINGH, V. P., 2014. Survey of Different Types of Captcha-International. Survey of Different Types
of Captcha-International, 5(2), pp. 2242-2245.

Xiaojiang Zuo, X. W. X. W., 2022. IEEE INFOCOM 2022 - IEEE Conference on Computer
Communications Workshops (INFOCOM WKSHPS). IEEE INFOCOM 2022 - IEEE Conference on
Computer Communications Workshops (INFOCOM WKSHPS), pp. 1-6.

Yang Zhang, H. G. G. P. S. L. G. C. N. C., 2019. A survey of research on CAPTCHA designing and.

Security And Privacy In Computing And Communications, pp. 75-84.

10
Arbin Shrestha (BSc (Hons) / 2nd trimester)