Security+ Chapter 4 Password Attacks
0.0(0)
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
FlashcardsCard Sorting
1/18
There's no tags or description
Looks like no tags are added yet.
Study Analytics
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
19 Terms
1
New cards
Password related attacks
Brute-Force, Password Spraying, and Dictionary Attacks
2
New cards
Brute-Force Attack
iterate through passwords until they find one that works.
simply a process that involves trying different variations until it succeeds.
simply a process that involves trying different variations until it succeeds.
3
New cards
What do brute force attacks involve
word lists that use common passwords, words specifically picked as likely to be used by the target, and modification rules to help account for complexity rules.
4
New cards
Spraying Attack
form of brute-force attack that attempts to use a single password or small set of passwords against many accounts..
5
New cards
When is a spraying attack useful
effective if you know that a target uses a specific default password or a set of passwords.
6
New cards
Example of Spraying attack
if you were going to attack a sports team's fan website, common chants for the fans, names of well-known players, and other common terms related to the team
7
New cards
Dictionary Attack
another form of brute-force attack that uses a list of words for their attempts.
8
New cards
Tools for dictionary attacks
John the ripper(an open source password cracking tool)
9
New cards
Differentiator of attack methods
whether they occur online, and thus against a live system that may have defenses in place, or if they are offline against a compromised or captured password store.
10
New cards
Tool used when you can capture hashed passwords from a password store
Rainbow Table
11
New cards
Rainbow Tables
searchable database of precomputed hashes using the same hashing methodology as the captured password file.
12
New cards
How Rainbow Tables are used
if you captured a set of passwords that were hashed using MD5, you could compute or even purchase a full set of passwords for most reasonable password lengths, and then simply look up the hashes of those passwords in the table.
13
New cards
Hash
is a one-way cryptographic function that takes an input and generates a unique and repeatable output from that input.
14
New cards
Password Cracker
attempt to crack passwords by trying brute-force and dictionary attacks against a variety of common password storage formats.
15
New cards
John The Ripper Link
Learning how to use tools like John the Ripper can help you understand both password cracking and how passwords are stored. You can find a variety of exercises at
openwall.info/wiki/john/tutorials
openwall.info/wiki/john/tutorials
16
New cards
How can password cracker tools be used for good
Password cracking tools like John the Ripper can also be used as password assessment tools. Some organizations continue to periodically test for weak and easily cracked passwords by using a password cracker on their password stores.
17
New cards
What do attackers or pen testers go for in a system that is not well maintained
Plain-text or unencrypted Passwords
18
New cards
What ways to protect passwords
using a strong password hashing mechanism, as well as techniques like using a salt and a pepper.
Best Practices rely on passwords never being stored and instead using a well-constructed password hash to verify passwords at login.
Best Practices rely on passwords never being stored and instead using a well-constructed password hash to verify passwords at login.
19
New cards
Securing Password Storage Link
cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html.