Ch4 - 4.03 - Looking at Password Attacks Flashcards
Dictionary Attack
A dictionary attack involves the hacker using a program that has a list of popular usernames in one text file and a list of words in a language dictionary that are to be tried as passwords in another file. The dictionary file normally contains all of the words in a language and can be downloaded from the Internet.
The disadvantage of the dictionary attack is that
most passwords today are complex passwords in the sense that they require letters, numbers, and symbols. This makes the dictionary attack ineffective because those passwords are not dictionary words.
Brute-Force Attack
A brute-force attack is a password attack that involves using the password cracking software to mathematically calculate every possible password. Normally, the hacker would configure the password-cracking software with
requirements such as the number of characters and whether to use letters, numbers, and symbols.
The benefit of a brute-force attack from the hacker’s point of view is that it is very effective—it will crack the passwords on a system if it has enough time to do so. The disadvantage of a brute-force attack is the time it takes to complete it. Due to the large number of possible passwords, it could take years for the password crack to complete!
Hybrid Attack
Another type of password attack is known as a hybrid attack. A hybrid attack involves the password-cracking software using a dictionary file, but after the software tries a word from the dictionary file, it then tries to modify the word. Examples of modifications that the cracking software will use are to place numbers after the word and possibly to replace characters. For example, after the word “house” is attempted, the software will then try “house1,” “house2,” and so on. Examples of popular character replacement scenarios include replacing the “a” in the word with an “@” symbol, replacing an “L” with the number “1”, and replacing the “o” with a “0.”
Birthday Attacks
A birthday attack is a type of attack performed on hashing functions. It has been found that if you try enough data input, you will find that two different data inputs generate the same hash value. This is known as a birthday attack because the theory is based on the fact that when you select a large, random group of people, you will have people with duplicate birth dates
Rainbow Tables
Rainbow tables are used to speed up the process of performing a brute force attack. Recall that brute-force attacks can take a very long time. To speed the process up, the hacker can generate rainbow tables, which is a file generated that contains all mathematically possible passwords based on criteria given by the rainbow table generator.
Rainbow tables are beneficial when the hacker is performing the attack because the calculations are already in the table (file); the hacker is simply reading a file. So the hacker gets the complexity of a brute-force attack, but the speed of a dictionary attack.
Known-Plaintext Attacks (KPAs)
Another common type of password attack is called the known-plaintext attack, or KPA for short. With a known-plaintext attack, the hacker knows the plaintext value of a password (known as the crib) and the corresponding encrypted version (known as ciphertext). With this information, the hacker can then work on figuring out the encryption keys and other passwords.
Online vs. Offline Attacks
With an online attack, the hacker is trying to crack the password against the live system. The problem with this is that the hacker risks getting detected and locking out the accounts. If the hacker can get a copy of the user account database on a flash drive, the hacker can then take that away with them and try to crack the passwords offline.
…
One thing to understand about your password policy and account lockout policy is that they do not have any effect if the hacker is performing an offline password attack. In an offline password attack, the hacker gets physical access to the system, copies the user account database to a flash drive, and takes the database away. The hacker then attacks from their own home, where you have no password policy or account lockout policy in place. After the hacker cracks the passwords, they can then gain access to the systems by using the usernames and passwords that have been discovered.