2.4 - Password Attacks

Question 1

Plaintext / unencrypted passwords

Answer 1

• Some applications store passwords “in the clear”
  – No encryption. You can read the stored password.
  – This is rare, thankfully
• Do not store passwords as plaintext
  – Anyone with access to the password file or
  database has every credential
• What to do if your application saves passwords
  as plaintext:
  – Get a better application

Question 2

Hashing a password

Answer 2

• Hashes represent data as a fixed-length string of text
  – A message digest, or “fingerprint”
• Will not have a collision (hopefully)
  – Different inputs will not have the same hash
• One-way trip
  – Impossible to recover the original message
  from the digest
  – A common way to store passwords

Question 3

The password file

Answer 3

• Different across operating systems and applications
  – Different hash algorithms

Question 4

Brute force

Answer 4

• Try every possible password combination
  until the hash is matched
• This might take some time
  – A strong hashing algorithm slows things down
• Brute force attacks - Online
  – Keep trying the login process
  – Very slow
  – Most accounts will lockout after a number of
  failed attempts
• Brute force the hash - Offline
  – Obtain the list of users and hashes
  – Calculate a password hash, compare it to a stored
  hash
  – Large computational resource requirement

Question 5

Dictionary attacks

Answer 5

• Use a dictionary to find common words
  – Passwords are created by humans
• Many common wordlists available on the ‘net
  – Some are customized by language or line of work
• The password crackers can substitute letters
  – p&ssw0rd
• This takes time
  – Distributed cracking and GPU cracking is common
• Discover passwords for common words
  – This won’t discover random character passwords