Password Authentication Methods

Questions and Answers

What is the primary method for logging into an account conventionally?

• Biometric scan
• Entering an account username and a password (correct)
• Using a security question
• Two-factor authentication

In plain password authentication, passwords are encrypted before being stored in the server's database.

False (B)

What is the purpose of hashing passwords before storing them?

To create a digest of the password that cannot be reversed to obtain the original password.

In salted password authentication, a ______ is added to the password before hashing to prevent attacks.

salt

Match the password authentication method with its description:

Plain password authentication = Storing passwords as plain text. Hashed password authentication = Storing a one-way hash of the password. Salted hashed password authentication = Adding a random text to the password before hashing.

How does a password spraying attack work?

By selecting one or a few common passwords and entering them when trying to log in to several user accounts. (C)

A brute force attack is done in a random fashion to determine the user's password.

False (B)

What is the primary difference between an online and offline brute force attack?

An online brute force attack involves direct attempts on an account, while an offline attack uses a stolen digest file.

A ______ attack uses rules to generate possible password variations from a username or pre-configured words.

rule

What is the first step in a rule attack?

Obtaining a small sample of the stolen password plaintext file. (C)

A dictionary attack is ineffective because users rarely create passwords from common dictionary words.

False (B)

What is a 'preimage attack' in the context of dictionary attacks?

A preimage attack compares a known digest (dictionary word) to an unknown stolen digest.

______ make password attacks faster by creating a large pregenerated dataset of candidate digests.

Rainbow tables

What are the advantages of using rainbow tables over other password attack methods?

They are much faster than dictionary attacks and can be used repeatedly. (A)

Using stolen password collections is no longer a common method for password cracking.

False (B)

Why are websites that host lists of leaked passwords useful for attackers?

These sites provide wordlists, statistics, and masks for rule attacks, aiding in cracking passwords.

What is the main purpose of using a 'salt' in password hashing?

To add a random text to the beginning of the password before hashing (D)

Online brute force attacks are commonly used by attackers because they are the most efficient method for cracking passwords.

False (B)

What type of analysis is conducted in a rule attack to create a mask of the candidate password?

Statistical analysis

Match the attack with its description:

Password Spraying = Trying a few common passwords across many accounts. Brute Force Attack = Trying every possible combination of characters in a password. Dictionary Attack = Comparing password digests to a list of common words.

Which of the following password authentication methods stores the password in plain text?

Plain password authentication (B)

Whenever a user sends their username and password, their password is not hashed before compared with the stored hashed password.

False (B)

Before being transferred to the same hashing algorithm when a user signs in what step is taken for salted hashed password authentication?

The entered password is combined with the stored plain salt.

The candidates matched against those in a ______ to find a match in an offline brute force attack.

stolen digest file

How many steps are there in rule atack?

3 (C)

Flashcards

Conventional Login Process

The conventional login process involves entering a username and password, which are checked against stored credentials in a server's database. Access is granted upon a match; otherwise, it is rejected.

Plaintext Passwords

In early systems, passwords were stored as plaintext, making them easily accessible to attackers who could breach the system.

Hashed Password Authentication

Storing passwords as hash values (message digest) rather than plaintext. When a user logs in, the entered password is also hashed, and this hash is compared to the stored hash.

Salted Hashed Password

Adding a random string (salt) to each password before hashing. The database stores both the salt and the hashed password.

Password Spraying

An attack that attempts to access multiple accounts using a few common passwords.

Brute Force Attack

An attack that systematically tries every possible combination of characters to guess a user's password.

Online Brute Force Attack

A type of brute-force attack where the attacker continuously tries different passwords on the same account.

Offline Brute Force Attack

A type of brute-force attack that uses a stolen digest file to crack passwords offline.

Rule Attack

An attack that conducts a statistical analysis on stolen passwords to create a mask of the format of the candidate password.

Dictionary Attack

An attack that uses a list of common words to guess passwords.

Preimage Attack

A dictionary attack where known digests are compared to unknown digests.

Rainbow Tables

A pre-computed table containing hash values for a large set of possible passwords, used to speed up password cracking.

Password Collections

Collections of stolen passwords used as candidate passwords in cracking software.

Study Notes

Attacks on Passwords

• The conventional login method involves entering a username and its paired password.
• The system checks the entered information against the stored password in the server's database.
• The system accepts the user request if a match occurs; otherwise, the system rejects it.

Plain Password Authentication

• Older systems stored passwords as plain text, easily accessible to attackers who gained system access.

Hashed Password Authentication

• Hashed passwords are kept within the database.
• The system hashes a user's password before comparing it to the stored hashed password when logging in.
• Access is granted if there is a match; otherwise, the request is denied.
• A one-way hash algorithm is used to create a message digest (hash) of the plaintext password to prevent data access.
• When a user logs in, a digest is created from the entered password, compared against the stored digest, and the user is authenticated if both digests match.

Salted Hashed Password Authentication

• Salted hashes involve adding a dynamic random text (salt) towards the beginning of a user's password when authenticating.
• Salted hashes are used for passwords.
• The database stores both the plain salt and the hashed password salt combination.
• When a user logs in, the system combines their entered password with the stored plain salt before hashing it.
• The result is compared to the stored digest value, and if it matches, the user is authenticated.

Password Spraying

• The attack selects a few common passwords like "Password1" or "123456".
• The selected password is used when logging into several user accounts.
• Because this targeted guess is spread across many accounts, it is much less likely to raise alarms or lock out the user account from failed password attempts.

Brute Force Attack

• The user's password is discovered by attempting every possible combination of letters, numbers, and characters via a non-random approach.

Online Brute Force Attack

• It is unlike a password spraying attack where one password is used on multiple accounts.
• This attack involves continuously attacking the same account (called pounded) by entering different passwords.
• The method is impractical because it could take thousands of years to guess a password.
• Most accounts disable logins after a limited number of incorrect attempts, often five, ending the threat.

Offline Brute Force Attack

• The attack begins with a stolen digest file loaded onto a computer and a password cracking software.
• Candidate digests of every possible combinations of letters, numbers, and characters are created.
• The generated candidates are matched against those in the stolen digest file to find a match.
• It is the slowest yet most thorough method.

Rule Attack

• This attack uses rules to generate password variations from a username or pre-configured words in the input.
• Rule attacks conduct statistical analysis on stolen passwords to formulate a mask representing the candidate password format.
• The mask can be used by the program (u uppercase, I lowercase, d digit) to crack a password in less time.
• Three basic steps of a rule attack:
  • A small sample of the stolen password plaintext file is obtained.
  • Statistical analysis is performed on the sample to determine the length and character sets of the passwords.
  • A series of masks is generated that will be most successful in cracking the highest percentage of passwords.

Dictionary Attack

• The attack starts with the attacker creating digests of common dictionary words as candidates.
• The digests are compared to those in a stolen digest file.
• The method works because users often create passwords from simple dictionary words.
• A dictionary attack with a set of dictionary words compared to stolen digests is a preimage attack.
• A pre-image attack involves a known digest (dictionary word) compared to an unknown digest (stolen digest).

Rainbow Tables

• Rainbow tables facilitate attacks with pregenerated candidate digest datasets.
• A rainbow table is a compressed password representation ordered within a sequence, a chain.
• Creating the table can take a while but provides advantages,
• Rainbow tables can be used for repeated attacks, faster than dictionary methods, and requires less memory on the attacking machine.

Password Collections

• Stolen collections are the foundation of password cracking today.
• Almost all cracking software tools accept stolen "wordlists”.
• Websites host lists of leaked passwords and stats/masks for rule attacks.
• Websites attempt to crack submitted password collections, with one having over 1.45 trillion cracked hashes.