2.4 - Password Attacks Flashcards

1
Q

Plaintext / unencrypted passwords

A
  • Some applications store passwords “in the clear”
    – No encryption. You can read the stored password.
    – This is rare, thankfully
  • Do not store passwords as plaintext
    – Anyone with access to the password file or
    database has every credential
  • What to do if your application saves passwords
    as plaintext:
    – Get a better application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hashing a password

A
  • Hashes represent data as a fixed-length string of text
    – A message digest, or “fingerprint”
  • Will not have a collision (hopefully)
    – Different inputs will not have the same hash
  • One-way trip
    – Impossible to recover the original message
    from the digest
    – A common way to store passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The password file

A
  • Different across operating systems and applications
    – Different hash algorithms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Brute force

A
  • Try every possible password combination
    until the hash is matched
  • This might take some time
    – A strong hashing algorithm slows things down
  • Brute force attacks - Online
    – Keep trying the login process
    – Very slow
    – Most accounts will lockout after a number of
    failed attempts
  • Brute force the hash - Offline
    – Obtain the list of users and hashes
    – Calculate a password hash, compare it to a stored
    hash
    – Large computational resource requirement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Dictionary attacks

A
  • Use a dictionary to find common words
    – Passwords are created by humans
  • Many common wordlists available on the ‘net
    – Some are customized by language or line of work
  • The password crackers can substitute letters
    – p&ssw0rd
  • This takes time
    – Distributed cracking and GPU cracking is common
  • Discover passwords for common words
    – This won’t discover random character passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly