Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
45 views7 pages

Password Attacks

Password attacks commonly exploit weak passwords through methods like dictionary attacks, brute-force attacks, spraying, and rainbow tables. Security best practices, such as using hashed passwords and account lockouts, can mitigate these risks, while understanding the difference between online and offline attacks is crucial for effective defense. Implementing additional measures like salting can further protect against sophisticated attacks.

Uploaded by

Cassim Jaffer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
45 views7 pages

Password Attacks

Password attacks commonly exploit weak passwords through methods like dictionary attacks, brute-force attacks, spraying, and rainbow tables. Security best practices, such as using hashed passwords and account lockouts, can mitigate these risks, while understanding the difference between online and offline attacks is crucial for effective defense. Implementing additional measures like salting can further protect against sophisticated attacks.

Uploaded by

Cassim Jaffer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

PASSWORD ATTACKS

• The most common form of authentication and user access control is


the username/password combination,
• Which can be significantly weakened as a security measure if the user
selects a weak password.
• Automated and social engineering assaults on passwords are easiest
when a password;
• is short,
• lacks complexity,
• is derived
from a common word found in the dictionary,
• or is derived from easily guessable personal information such as birthdays,
family names, pet names, and similar details.
• There are four common methods of attacking passwords:
▪ Dictionary attack
▪ Brute-force attack
▪ Spraying
▪ Rainbow table
• Passwords should never be stored unencrypted in plaintext.
• Access to the password database would then make it quite easy to
compromise every account.
• As a result, cryptographic concepts are heavily used in the storing of
passwords.
• Passwords are typically stored as hashes.
• A hash is a one-way function, which means you can’t turn a hashed value
into a password.
• But if you hash a password, you can compare that output to a previously
hashed password.
• Attacks against passwords usually fall into two broad categories:
online and offline attacks.
• An online attack might, for example, involve an automated or manual
attack against your web-based email account, in which the attacker
attempts to log in with your username and password.
• Or an attacker might gain access to an entire hashed (unreadable)
database of passwords from the web-based email provider.
• The attacker might use techniques offline to crack the hashed
passwords before attempting to log in online.
• Security best practices can help avoid online attacks—for example,
locking accounts after several failed attempts.
• but offline attacks give the attacker the convenience of iterating
through different methods and countless attempts.
• Online attacks occur while connected directly to a system.
• Users getting locked out of their accounts could be a result of
forgetting passwords or could indicate attacks against the accounts.
• An offline attack occurs when the attacker has access to the material
independent of the source system; for example, the encrypted
password database might have been downloaded.
• An offline attack is less risky and affords the attacker the opportunity
to circumvent controls without being detected.
• A dictionary attack involves the attacker trying every word in the
dictionary to gain access.
• In essence, software tools are available to automate such tasks to
perform attacks on passwords.
• The word password, for example, can easily be compromised through a
simple dictionary attack;
• however, simply changing the letter o to the numeral 0, and the letter a to
the @ sign could thwart a dictionary attack.
• Brute-force attacks, however, are quite capable of defeating such
passwords.
• Unlike a simple dictionary attack, a brute-force attack relies on
cryptanalysis or hashing algorithms that are capable of performing
exhaustive key searches.
• Brute-force attacks can crack short passwords more quickly than can
dictionary attacks.
• However, a brute-force attack can take a lot of time and computing power
with larger, more complex passwords because it attempts to exhaust all
possible combinations of letters, numbers, and symbols.
• A common countermeasure to mitigate password attacks is account
lockouts.
• Password spraying seeks to circumvent account lockouts by
spreading the use of a single password attempt across multiple
accounts.
• Password spraying is a slow approach, but what it lacks in speed
across a single account it gains in scale across multiple accounts at
once.
• A single failed password across an account may be benign.
• However, a single failed login across many accounts at the same time
should serve as an indication to a security administrator that
password spraying may be occurring.
• A rainbow table can be thought of as a very large set of precomputed
hash values for every possible combination of characters that is able
to reverse a cryptograph hash function.
• If an attacker has enough resources to store an entire rainbow table
in memory, a successful attack on hashed passwords can occur with
great efficiency.
• Further, such an attack can occur offline.
• Thus, the attacker does not need to hash every potential password,
as a rainbow table has already done this, and the attacker only needs
to perform a search against the required password hashes.
• Adding an additional input of random data to the function that
creates the hashes is known as a salt and can help make a rainbow
table attack ineffective.
• Note: A user being locked out of his or her account may indicate an
attack against the user’s password—especially if that user has no
history of failed repeated logon attempts.

You might also like