GCGA Ch. 10 Understanding Password Attacks (ST)

Question 1

Password attacks

Answer 1

attempt to discover passwords. An online password attack attempts to discover a password from an online system. An offline password attack attempts to discover passwords from a captured database or captured packet scan. Passwords are often stored as a hash. Weak hashing algorithms are susceptible to collisions, which allow different passwords to create the same hash.

Question 2

Brute force attack

Answer 2

attempts to guess all possible character combinations. Account lockout policies thwart online brute force attacks.

Question 3

Dictionary attack

Answer 3

uses all the words and character combinations stored in a file. Complex passwords thwart offline password attacks.

Question 4

Spraying attack

Answer 4

attempts to bypass account lockout policies. An automated program starts with a large list of targeted user accounts. It then picks a password and tries it against every account in the list. It then picks another password and loops through the list again.

Question 5

Pass the hash attack

Answer 5

In a pass the hash attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user.

Question 6

Birthday attack

Answer 6

an attacker attempts to create a password that produces the same hash as the user’s actual password.

Question 7

Password salting

Answer 7

adds additional characters to passwords before hashing them and prevents many types of attacks, including dictionary, brute force, and rainbow table attacks.

Question 8

Key stretching techniques

Answer 8

Three commonly used key stretching techniques are bcrypt, Password-Based Key Derivation Function 2 (PBKDF2), and Argon2. They protect passwords against brute force and rainbow table attacks.