Password Security Best Practices

Questions and Answers

Why is it dangerous for applications to store passwords as plain text?

• Plain text passwords are difficult to read.
• Plain text passwords offer better security.
• Hackers can easily access usernames and passwords if they find the database. (correct)
• Storing passwords as plain text saves storage space.

What is the recommended way to store passwords securely?

• Using a hash function to convert the password into a unique string. (correct)
• Storing passwords in plain text in a database.
• Printing out the passwords and storing them in a safe.
• Encrypting passwords with a simple algorithm.

How does hashing a password differ from storing it as plain text in a database?

• Storing passwords as plain text is faster than hashing them.
• Hashed passwords can be easily decrypted by attackers.
• Hashed passwords provide better security as they are irreversible. (correct)
• Plain text passwords are shorter in length compared to hashed passwords.

Why does the text mention that hashes are a 'one way trip'?

Once hashed, a password cannot be retrieved back to its original form. (C)

What happens if an attacker gains access to a database storing plain text passwords?

The attacker can uncover everyone's usernames and passwords easily. (A)

What advantage do hashes offer compared to plain text when storing passwords?

Hashes ensure that each password has a unique representation that cannot be reverted back. (B)

What kind of attack involves programmatically stepping through every possible combination of a password offline?

Brute force attack (C)

What do attackers use in a dictionary attack to try to find passwords?

Common words from dictionaries (B)

Which method involves taking advantage of external high-speed processors for password cracking?

GPU attack (A)

What is the purpose of a rainbow table in password cracking?

Quickly searching for passwords based on precomputed hashes (D)

What type of attack would an attacker be performing if they were trying to match hashes against a list of precomputed hash values?

Rainbow attack (B)

What is a common strategy used by attackers during a dictionary attack?

Performing letter substitutions (C)

Which type of attack generally leads to an account being locked out due to multiple incorrect password attempts?

Brute force attack (C)

'1234' is an example of what kind of password commonly used in weak security scenarios?

'dictionary' password (B)

What method do attackers use to find common passwords like 'ninja' or 'dragon' after performing a dictionary attack?

Search through rainbow tables (D)

What is the main characteristic of a cryptographic algorithm mentioned in the text?

It cannot be reversed (B)

What hashing algorithm is specifically highlighted in the text?

SHA-256 (B)

Why is it impossible to restore the original password from its hash?

The original password is not stored within the hash (A)

What type of attack involves trying some common passwords on multiple accounts?

Spraying attack (B)

Why do attackers use spraying attacks instead of brute force attacks?

To avoid generating alarms and account lockouts (B)

What is a strong indicator that somebody is attempting unauthorized access to an account?

Triggering alarms and alerts (A)

In a brute force attack, what is the method used to determine a password?

Try every possible combination until a match is found (C)

How do attackers usually obtain usernames and password hashes from a system?

Downloading the password file from the system (C)

What is the purpose of hashing passwords in a system?

To encrypt passwords for secure storage (D)

What differentiates a spraying attack from a brute force attack?

Spraying attack involves trying common passwords, while brute force tries all possible combinations. (A)

What is the purpose of including a salt when storing passwords?

To prevent rainbow table attacks (B)

Why do different rainbow tables need to be created for different applications or operating systems?

Due to different methods used to create hashes (A)

What happens if two users have the same password but are using salted hashing?

The hash stored in the table is different for each user (D)

What was the significance of 'collection number one' in January 2019?

It was a large scale data breach compromising millions of accounts (A)

How does salting passwords impact the effectiveness of pre-built tables like rainbow tables?

Salting makes rainbow tables ineffective (C)

What would be the drawback of an attacker when passwords are salted?

The attacker faces difficulties due to random salts (B)

How does salting affect identical passwords of different users?

It converts them to different hashes (C)

What information does 'haveibeenpwned.com' provide to users?

'Have I been part of any data breaches' information (D)

'Collection number one' included over 1.1 billion unique what?

'Collection number one' emails (D)

Besides preventing rainbow table attacks, what other reason is mentioned for using salts?

To differentiate between users with same password (B)