1_2_9 Section 1 – Attacks, Threats, and Vulnerabilities - 1.2 – Attack Types - Password Attacks

Questions and Answers

What is the main reason an attacker loves applications that store passwords as plain text?

High level of security

Complex encryption techniques

Easy access to usernames and passwords (correct)

Difficult to retrieve data

Why is storing passwords as plain text considered a security risk?

Hashing passwords is a complex process

Storing passwords as plain text is more secure than hashing

Plain text passwords cannot be accessed by anyone

Passwords can be easily read if the database is accessed by an attacker (correct)

What is the recommended method for storing passwords securely?

Disabling password storage completely

Storing passwords in plain text

Using hashes (correct)

Encrypting passwords with a reversible algorithm

What is unique about the hash of a password?

It is very specific to a particular password and cannot be duplicated on a system

Why is hashing considered a secure method for storing passwords?

It provides a one-way trip representation of the password

What should you do if you encounter an application storing passwords as plain text?

Stop using the application or find an upgrade that doesn't store plain text passwords

What is the primary characteristic of a cryptographic algorithm mentioned in the text?

It cannot be reversed

What hashing algorithm was specifically discussed in the text?

SHA-256

How does a spraying attack differ from brute force attacks?

Spraying attacks try only a few common passwords

In the context of password attacks, what does 'querty' represent?

A common password

What is the purpose of using 'common passwords' in password attacks?

To avoid detection by alarms

What is one reason an attacker might choose a spraying attack over a brute force attack?

Less chance of being locked out of an account

Why are the hashes of common passwords provided in the text?

To demonstrate how hashing algorithms work

'Brute force attacks' aim to find passwords by trying:

Random letters and numbers

'Spraying attacks' try to avoid alarms by:

'Trying' only a few common passwords per account

What do attackers aim to obtain in a brute force attack?

Passwords of all accounts on a system

What is the purpose of adding a salt to passwords?

To ensure different hashes for identical passwords

How does the addition of salt affect the hash of identical passwords?

It makes the hash completely random

What is the main challenge associated with rainbow tables?

Different applications may use different hashing methods

Why was 'collection number one' significant in January 2019?

It had one billion unique passwords

What impact does salting passwords have on pre-built tables like rainbow tables?

It renders the tables ineffective

How do salts contribute to the security of stored passwords?

By obscuring identical passwords

Why is it essential for each user to have a unique salt added to their password?

To differentiate identical passwords

What is the purpose of having a password manager that generates different passwords for each account?

To complicate rainbow table lookups

What kind of data is a 'salt' when used in password hashing?

A piece of unrelated, random data added to the password before hashing.

What does 'haveibeenpwned.com' allow users to check for?

If their email addresses are part of any data breaches.

What type of attack involves programmatically stepping through every possible combination of a password offline?

Brute force attack

In a dictionary attack, attackers use common words from dictionaries to guess passwords. What is another feature of these attacks?

They perform letter substitutions

What is the purpose of rainbow tables in password cracking?

To store precomputed hashes for quick password lookup

Why do attackers often use distributed cracking formats?

To speed up the password cracking process

What would be the outcome if an account is locked out after a few failed login attempts?

The account is disabled for brute force attacks

What type of characters are typically included in a brute force attack on passwords?

Letters, numbers, and special characters

What technique is used in some password cracking programs to try variations like changing 'A' to '&' and 'O' to '0'?

'Substitution' for letters

Which type of attack involves using high-speed CPUs found in GPUs to quickly crack passwords?

Hash attack

What is the function of hashing passwords in the context of password cracking?

'Comparing' stored hashes for verification

What type of attack often locks accounts out after multiple failed login attempts?

Brute Force Attack

Why is storing passwords as plain text considered a security risk?

Plain text passwords can be easily read by attackers if they gain access to the database.

What is the main advantage of hashing passwords instead of storing them as plain text?

Hashes provide a unique representation of the password that is not reversible.

Why are hashes considered a more secure method for storing passwords than encryption?

Hashes are one-way functions, making it difficult to retrieve the original password from the hash.

What is the primary risk associated with applications that store passwords in plain text?

The possibility of attackers gaining access to all user credentials easily.

How does hashing of passwords contribute to data security?

Hashing produces a unique representation of each password that prevents reverse engineering.

What is the significance of using a hash to store passwords?

Hashing provides a secure way to store passwords without revealing the original plain text passwords.

What type of attack involves going through every possible combination of letters, numbers, and special characters offline?

Brute force attack

In password cracking, what method allows attackers to quickly search for previously computed hashes?

Rainbow tables

What type of attack uses commonly found words, including those from specific dictionaries?

Dictionary attack

Which method allows attackers to quickly identify common passwords like 'ninja' and 'dragon'?

Performing a dictionary attack

What technique involves changing characters like 'A' to '&' and 'O' to '0' during password cracking attempts?

Letter substitution

How do attackers speed up the process of offline password cracking by utilizing external hardware?

Employing GPU processing power

Why is it more efficient for attackers to use a subset of words from a dictionary during password cracking?

It reduces the number of hash comparisons needed

What impact does salting passwords have on pre-built tables like rainbow tables?

It prevents the pre-built tables from working effectively.

Why is having a unique salt added to each password considered important for security?

To prevent attackers from using rainbow tables effectively.

Why is it impossible to restore a hashed password back to its original format?

Hashing is a one-way process designed not to be reversible

What characteristic of hashing makes it a secure method for storing passwords?

Hashes are one-way functions.

What is the primary purpose of a spraying attack compared to a brute force attack?

To avoid triggering alarms from repeated failed login attempts

What purpose do rainbow tables serve in password cracking?

To quickly find matching hashes for common passwords.

What makes a brute force attack time-consuming when trying to crack passwords?

Having to try every possible combination of characters

In password cracking, what is the purpose of using 'common passwords' like '1, 2, 3, 4, 5, 6'?

To increase the chances of guessing correctly

What extra security measure do programmers use to store passwords besides hashing?

Adding a random salt to each password before hashing.

What differentiates salts from plain text passwords stored in a database?

Salts are added before hashing to increase security.

What role does the hashing algorithm play in password security?

It makes it impossible to determine the original password from its hash

What distinguishes a spraying attack from a brute force attack in terms of strategy?

Spraying attacks aim to evade detection by trying only a few common passwords

Why does using 'haveibeenpwned.com' help users determine if their accounts are at risk?

It checks if the user's emails and passwords were part of data breaches.

How does including a salt with passwords make rainbow tables less effective?

It adds randomness, making each password unique even if the password is common.

How does adding a salt to passwords enhance security?

It prevents attackers from using pre-built tables like rainbow tables

Why is 'collection number one' significant in the context of data breaches?

'collection number one' included over 1.1 billion unique emails and passwords, impacting millions of users.

'1, 2, 3, 4, 5, 6' and 'querty' were mentioned in the text as examples of what?

'Weak and easily guessable passwords'

What makes rainbow tables ineffective when attacking salted passwords?

The unique salt values prevent precomputed hash lookups.

What is a notable characteristic of a cryptographic algorithm?

Creates distinct hashes for unique inputs.