Password attacks attempt to discover or bypass passwords used for authentication on systems and networks, and for different types of files. Although there are many attack methods, they fall into two generic categories: online password attacks and offline password attacks.
An online password attack attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user’s password is an online attack.
Offline password attacks attempt to discover passwords from a captured database or captured packet scan. For example, when attackers hack into a web site causing a data breach, they can download entire databases. They then perform offline attacks to discover the passwords contained within the databases. Similarly, Wi-Fi Protected Access (WPA) cracking attacks first capture the four-way handshake when WPA wireless clients authenticate with a wireless access point. After capturing these packets, they perform an offline attack to discover the WPA password.
The following sections cover some specific types of password attacks and this blog covers others such as rainbow table attacks.
Pass the Security+ exam the first time
Brute Force Password Attacks
A brute force attack attempts to guess all possible character combinations. One of the best protections against offline brute force attacks is to use complex passwords. Complex passwords include a mix of uppercase letters, lowercase letters, numbers, and special characters. Additionally, longer passwords are much more difficult to crack than shorter passwords.
Account lockout policies are effective against online brute force attacks. An account lockout setting locks an account after the user enters the incorrect password a preset number of times.
Additionally, key stretching techniques such as bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) add a salt to the password and are effective against brute force attacks.
Dictionary Password Attacks
One of the original password attacks uses a dictionary of words and attempts to use every word in the dictionary to see if it works. Dictionaries used in these attacks evolved over time and included many of the common passwords that uneducated users configured for their accounts. For example, even though 12345 isn’t a dictionary word, many people use it as a password, so characters such as these have been added to many dictionaries used by dictionary attack tools.
These attacks are thwarted by using complex passwords. A complex password will not include words in a dictionary.
Most systems don’t store the actual password for an account. Instead, they store a hash of the password. Hash attacks attack the hash of a password instead of the password. A hash is simply a number created with a hashing algorithm such as MD5 or SHA-1. A system can use a hashing algorithm such as Message Digest 5 (MD5) to create a hash of a password.
As an example, if a user’s password is IC@nP@$$S3curity+, the system calculates the hash and stores it instead. In this example, the MD5 hash is 75c8ac11c86ca966b58166187589cc15. Later, a user authenticates with a username and password. The system then calculates the hash of the password entered by the user and compares the calculated hash against the stored hash. If they are correct, it indicates the user entered the correct password.
Similarly, systems rarely send passwords across a network. Instead, they send the hash of the password and normally in an encrypted format.
Unfortunately, tools are available to discover many hashed passwords. For example, MD5 Online allows you to enter a hash and it gives you the text of the password. If the password is 12345, the hash is 827ccb0eea8a706c4c34a16891f84e7b. If you enter that hash into MD5 Online, it returns the password of 12345 in about a second. MD5 Online uses a database of hashed words from a dictionary. If the hash matches a database entry, the site returns the password.