Computer Science Wiki

Search

SearchSearch

Password Based Attacks

Sep 13, 20243 min read

Authenticity ensures that the identity of a user is verified accurately before granting the access to systems or data. There are several types of attacks that is used to compromise passwords.

Offline attacks

Offline attacks occur when an attack gains access to a database of hashed or encrypted passwords and attempts to crack them without interacting with the authentication system directly.

  • Attack vector
    • The attacker has access to the hashed passwords, often through a data breach or exploit.
  • Speed
    • The speed is limited to the attacker’s computational resources, the attacker can use powerful hardware to perform rapid computation.
  • Methods
    • Brute force: Trying many password combinations until one works, limited by account lockouts.
    • Dictionary attack: Crack passwords by systematically entering every password in a precompiled list, which contains common passwords, phrases, or previously breached passwords. It is less effective against complex, unique passwords.
    • Rainbow attack: Use tables of plaintext passwords and their corresponding hash values to reverse cryptographic hash functions and find the original plaintext passwords. When a hash is obtained (e.g. from a database breach), the attacker searches the rainbow table for the corresponding plaintext password. It is ineffective when the passwords are hashed with salts.

Online attacks

The attacker interacting with the authentication system try to exploit web system’s weak authentication controls to gain unauthorised access.

  • Attack vector
    • The attacker interact directly with the login interface and target system.
  • Speed
    • Generally slower due to rate limiting, account lockouts, and network latency.
  • Methods
    • Brute force: Trying many password combinations until one works, limited by account lockouts.
    • Credential stuffing: Using known username/password pairs from other breaches, assumes most people reuse the same credentials on multiple sites.
    • Password spraying: Try a few common passwords across many accounts to avoid lockouts.

Preventive measures

Salting passwords

A salt is a random value concatenated to the plaintext before hashing, each password has a unique salt. The same password will produce different hashes due to unique the salt. Attackers need to generate a separate rainbow table for each possible salt value, which is computationally infeasible. The salting process can be described as below:

Password:   "pw1234"
Salt:       "yrtZd"
Hash Value: hash("pw1234" + "yrtZd")

Password salting is effective against the rainbow table attack.

Multi-Factor Authentication (MFA)

MFA requires additional factors beyond just username and password for authentication, such as a code from a mobile app, a fingerprint, or a hardware token. Even if an attacker manages to crack the password, they will still need other factors to gain access.

Back to parent page: Network Security and Cryptography

Cyber_SecurityNetwork_SecurityINFO2222AuthenticationPassword

Graph View

Backlinks