Take Quiz

Your name and email are stored only in your browser local storage for convenience. They are not retained server-side.

NameEmail

Question 1

According to the Security Now! #1009 episode, what is the minimum secret key length recommended by the HOTP RFC for TOTP authenticators, and what implication does using a shorter 80-bit key have?

Minimum 64 bits recommended; 80-bit keys exceed this and provide strong security comfortably. Minimum 80 bits recommended; so 80-bit keys are the official baseline for compliance and security. Minimum 128 bits recommended; using 80-bit keys like Google's is non-compliant and decreases the security margin significantly. Minimum 256 bits recommended; using 80-bit or 128-bit keys is considered insecure and outdated.

Question 2

In the episode, what is the primary reason that an attacker cannot feasibly recover the full TOTP secret key from a single observed 6-digit code?

The six-digit code output has only 1 million possible values, too small to contain information about an 80-bit key, preventing backward computation. A single code can be reversed with hash inversion techniques to find the key, but requires impractical amounts of data. The secret key is public but encrypted with quantum-resistant asymmetric encryption preventing recovery. The authenticator changes the secret key every 30 seconds, so the key is never static.

Question 3

What does the episode say about the brute force attack complexity when using multiple TOTP code samples at known times to recover the secret key?

Each additional code at a known timestamp reduces the candidate key space by a factor of one million, so four codes reduce it by 10^24. Multiple codes provide no help; each code is independently generated and offers no cumulative benefit for key recovery. Only two codes are needed to completely recover an 80-bit key due to algorithmic weaknesses. The key can be found after testing roughly half the key space using a single code, with no need for multiple samples.

Question 4

What mitigation does the episode recommend for organizations still using on-premise Active Directory (AD) regarding the hashing and salting of user password hashes?

There is no way to add salting to AD hashes; migrating to cloud-based Azure AD is the recommended Microsoft solution. Disable LAN Manager and NT LAN Manager authentication modes to force salted password hashes in Active Directory. Enable built-in salt features in Active Directory Group Policy settings to comply with CJIS requirements. Use third-party plugins that add salting to Active Directory by default to improve security.

Question 5

Regarding DJI's firmware update discussed in the episode, what change did DJI implement for the geofencing system in the United States?

DJI integrated FAA Remote ID and LAANC systems to prevent all unauthorized drone flights automatically. DJI lifted firmware-enforced geofencing, replacing no-fly zones with software warnings that rely on operators to comply voluntarily. DJI expanded firmware-enforced geofencing zones, adding strict automatic flight prevention over all government and airport areas. DJI added GPS spoofing resistance firmware to prevent drones from being tricked into restricted zones.

Cancel

Episode #1009 Quiz

Question 1

Question 2

Question 3

Question 4

Question 5