2.4 – Social Engineering - Password Attacks

Questions and Answers

Why is storing passwords as plain text considered a security risk?

• Plain text passwords require more storage space than hashed passwords.
• It is more difficult to recover plain text passwords if they are lost.
• Anyone with access to the storage location can easily read the passwords. (correct)
• Plain text passwords are more susceptible to encryption.

What is the primary purpose of hashing passwords?

• To compress the passwords to save storage space.
• To encrypt the passwords for secure transmission over a network.
• To convert the passwords into a fixed-length string that cannot be easily reversed. (correct)
• To make the passwords easier for users to remember.

Which of the following is a critical characteristic of a secure hashing function for passwords?

• Producing different length hashes for different password lengths.
• The ability to quickly reverse the hash to retrieve the original password.
• Resistance to collisions, where different inputs produce the same hash. (correct)
• Easy memorization of generated hashes.

What is a 'collision' in the context of hashing functions?

When two different inputs produce the same hash output. (A)

Why is the inability to reverse a hashing function a desirable property for password storage?

It prevents unauthorized individuals from obtaining the original password from the stored hash. (D)

In a scenario where an attacker has obtained a file containing password hashes, what is a 'brute force attack'?

Systematically trying every possible password combination to match the stored hash. (C)

If a brute force attack is conducted online against a login system, what is a likely countermeasure that would prevent the attacker from succeeding?

Locking the account after a certain number of failed login attempts. (B)

Why do attackers often prefer to perform brute force attacks offline after obtaining password hashes?

Offline attacks bypass account lockout policies and other online security measures. (A)

What is a 'dictionary attack' in the context of password cracking?

Using a list of common words and phrases to guess passwords. (C)

Why are dictionary attacks often more efficient than pure brute force attacks?

Dictionary attacks focus on likely passwords, reducing the search space. (C)

How do attackers commonly enhance dictionary attacks to account for predictable user substitutions (e.g., replacing 'o' with '0')?

By incorporating rules to modify dictionary words with common substitutions. (A)

What is a limitation of dictionary attacks in password cracking?

They cannot crack passwords that are not in the dictionary. (A)

What type of resource is commonly utilized to accelerate password cracking processes, particularly in distributed cracking methods?

Graphical Processing Units (GPUs) (C)

Why might an attacker use a specialized dictionary containing medical terms when attempting to crack passwords obtained from a medical facility?

Users in that field may include relevant terms in their passwords. (C)

How does salting improve password security?

It adds a unique random string to each password before hashing. (C)

What is the purpose of key stretching?

To increase the time it takes to crack a password. (C)

Which of the following is an example of a strong password policy?

Enforcing a minimum password length of 12 characters and complexity requirements. (A)

Why is multi-factor authentication (MFA) recommended?

It provides an additional layer of security even if a password is compromised. (D)

Which of the following is a technique to make it computationally expensive to crack multiple passwords at once?

Using a long, random unique salt for each password. (B)

What strategy might an attacker employ after discovering that a set of password hashes is utilizing a weak hashing algorithm?

Attempting to reverse the hashes directly using the algorithm's known vulnerabilities (C)

Flashcards

Plain Text Passwords

Storing passwords in an unencrypted, readable format.

Password Hash

A cryptographic function that converts an input (password) into a fixed-size string of text (message digest or fingerprint).

Hash Collision

The undesirable event where two different inputs produce the same hash output.

Brute Force Attack

An attack that attempts every possible password combination to match a stored hash.

Dictionary Attack

An attack that uses a list of common words to guess passwords.

Offline Brute Force Attack

Taking hash files to attempt password cracking offline.

Distributed Cracking

Using multiple computers or GPUs to speed up the password cracking process.

Password Mutation

Changing common letter substitutions (e.g., 'O' to '0', 'L' to '1') during a dictionary attack.

Study Notes

• Passwords often serve as the primary credential to protect access to services.
• Storing passwords in clear text or unencrypted form by a service is rare but insecure.
• With clear text passwords, anyone with access to the file or database can view everyone's credentials.
• If developers won't change, you have to use the app with security concerns or remove it entirely.

Password Hashing

• Never store passwords as plain text.
• Passwords should be stored as a hash, a cryptographic method that creates a fixed-length string of text from an input.
• This fixed-length string is called a message digest or fingerprint.
• Each input into a hashing function produces a unique output.
• The goal is to create a hashing function that makes it very difficult to have the same fingerprint or hash between two different inputs, known as a collision.
• If a hashing function has many collisions, a different hashing function may be considered.
• Once a hash is created, it's impossible to reverse the process and obtain the original message.

Hashing Examples

• Different operating systems and applications may use and store hashes in different ways.
• Linux systems store the username, account number, and password hash on the same line in the password file.
• While you can’t reverse a hash to find the original password, you can perform a brute-force attack to try every possible password trying to find a match.

Brute-Force Attacks

• In a brute force attack, every possible combination of letters, numbers, and special characters is tried until a hash match is found.
• Brute-force attacks can be time-consuming, depending on the hashing algorithm being used.
• Brute force example showed how after trying AAAAA, AAAAB, AAAAC, etc., eventually the word “password” was found to match the hash.
• Performing a brute-force attack online is usually not feasible because of account lockouts after a certain number of failed attempts.
• Hackers will often take a copy of the hash file offline and perform the brute-force attack on their own systems.
• This requires significant CPU resources to go through every possible password combination.

Dictionary Attacks

• Dictionary attacks use a list of words from a dictionary to try and match password hashes.
• Dictionary attacks are faster as the number of words in a dictionary is less than the possible combinations of characters in a brute force attack.
• Attackers often use specialized word lists for dictionary attacks.
• Attackers know that users commonly substitute letters with numbers or symbols, such as changing O to 0 or L to 7, and account for these substitutions during dictionary attacks.
• Even with smaller word lists, dictionary attacks can use a lot of CPU, leading to the use of distributed cracking methods or GPUs to increase processing power.
• Dictionary attacks will not be successful if the password is not in the dictionary.
• Dictionary attacks are effective against passwords that contain common words.