Password Attacks – SY0-601 CompTIA Security+ : 1.2

There are many different techniques that the attackers can use to find your password. In this video, you’ll learn about spraying attacks, brute force attacks, hashing, dictionary attacks, rainbow tables, salt, and more.

<< Previous Video: Logic Bombs Next: Physical Attacks >>


An attacker loves applications that store passwords as plain text. They take the password, they store it in a readable format in a database, and if the attacker finds this database, then they have access to everyone’s usernames and passwords without any additional work. Obviously, if you are storing login credentials, you don’t want to store any passwords as plain text. Fortunately, this is a very unusual situation if you ever run into it. But there are the rare applications that tend to save these passwords in a form that is readable to anyone.

Unfortunately, if you run into one of these situations, you don’t have much of a choice. You need to stop using that particular application or find an upgrade to that application that doesn’t store any of these passwords as plain text in the database.

Well, if you don’t store password as plain text, how should you store passwords? The best way to store password is in a format that uses a hash. This hashing of a password takes the password and represents the password as a string of text information. We call this a message digest. You’ll sometimes hear this referred to as a fingerprint.

The idea with a hash is you can provide an input to the hash like your password. And the resulting hash is something that is very unique. So hashes will not be duplicated on a system and they’ll be very specific to a particular password.

The reason a hash makes such a perfect place to store password is that it is a one way trip. It’s a cryptographic algorithm that cannot be reversed. So once you create the hash of a password, you can’t somehow restore that password back to its original format by simply using the hashed value. Here’s an example of some hashes that I’ve created from some very common passwords. This hashing algorithm is the SHA-256 hashing algorithm. It’s a very common one to find. Here are some passwords that I’ve hashed.

If you hash 1, 2, 3, 4, 5, 6 with the SHA-256 you get this message digest. You’ll notice this is very different than the 1, 2, 3, 4, 5, 6. You’re not able to tell what this password might be by looking at the hash. And there’s no way to reverse the hash back to that original password. I’ve also got hashes here for 1,2, 3, 4, 5, 6, 7 for the word querty and the word password. You’ll notice that all these hashes are the same length. But all of them are very, very different than the original passwords that were used as the input.

Inside of the application or the operating system that you’re using, you’ll often have a password file that then has the usernames for the user and then the hash that is created from the password for each individual account. Instead of trying to brute force the hash and determine what the original password might have been, some attackers will use a spraying attack.

A spraying attack avoids the results of a locked account for trying the wrong password over and over again without success. Instead, a spraying attack is going to try to use some very common passwords and only try a few of them before moving on. A good example of some of these common passwords can be found on Wikipedia under the list of the most common passwords. And the top five passwords I put right here, which are 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 8, 9, querty, password, and 1, 2, 3, 4, 5, 6, 7. Probably not unusual that these would be the top five passwords that someone would try to use.

So an attacker using a spraying attack would try an account name and then they might try the top three of these top passwords to see if any one of those happened to be in use. If they gain access by using these top passwords, they can then continue their attack. If they do not gain access by using these top passwords, then they stop what they’re doing, they move on to the next account, and they try these top three passwords again. By only trying a few passwords for a single account, they can often avoid any alarms, alerts, or account lockouts that might signal that somebody’s trying to break in to these accounts.

Some attackers, though, are interested in obtaining the username and password of every account on a system. And if they want to be able to determine what those passwords are, then they’ll need to perform a brute force attack against every account. A brute force attack is going to try every combination of letters, numbers, special characters, or anything that could make up a password. And it’s going to try every combination of those for a single account until it finds a matching password.

This can obviously take some time. If it’s a very long password, you have to go through a lot more iterations to be able to find that. And if you’re starting with the hash of a password, then you also have to perform that hash so that you can then compare the hashes to see if you found a match. Let’s say that attacker has gained access to a system and they’ve downloaded the password file that contains usernames and password hashes. Now they happen to have one of the hashes associated with a particular user. And they would like to perform a brute force attack to find the password associated with that hash.

They’ll start at the very beginning of what possible passwords might be. And the beginning here would be the password AA A A A. They’ll perform a hash of that password and they’ll get the resulting hash value. They’ll then compare that hash value to the hash value they’re trying to match. They’ll see that those don’t match so they’ll go to the next password on their list which is AA A A B, they’ll perform a hash of that password, they’ll compare that hash to the hash they’re trying to match, and so on until they find one that matches.

They may have to go through a very long list, but eventually they’ll come up with the combination of letters that makes up the word password. They’ll perform a hash of password, they’ll get the hash value, and they’ll see that the hash value of password matches the hash they were looking for. Therefore the password associated with this account is the word password.

If an attacker was trying to do this online, it would obviously be a very slow process as they were typing in a username and password. And there’s probably going to be delays as they try each wrong password. And very quickly, they’re going to lock out this account because they’re going to try three, five, or seven passwords before the account is automatically disabled for brute force attacks. It’s usually more common for the attacker to have already downloaded the password file. They can then perform an offline attack of those hashes where they can programmatically step through every possible combination and do it very quickly on their local machine.

This obviously requires a lot of computational requirements on the local computer but it allows them to go very quickly through this list of passwords. It obviously takes a long time to incrementally go through every possible combination of letters, and numbers, and special characters. So instead of going through all of those, some attackers will use a subset of those that you might find in a dictionary. We call this a dictionary attack where we can use common words taken from a dictionary and see if those happen to be the passwords that we’re looking for.

You’ll find a lot of different kinds of dictionaries on the internet, especially some groups of passwords that are unique to a particular type of job. For example, there might be a medical dictionary where there are a lot of medical phrases that you can use for passwords that may be from a hospital or an insurance company. These dictionary related brute force programs can also perform letter substitutions. So if you’re using the word password as your password but you’re changing the letter A to the ampersand and the letter O to the number zero, these programs are already expecting you to do that and they’ll try those combinations as they go through the dictionary attack.

This type of cracking can take quite a bit of time as it goes through all of these different words and combinations of letter substitutions. It’s not unusual for attackers to use a distributed cracking format where multiple systems might be used. They might also take advantage of the high speed CPUs that you might find in a graphical processing unit or a GPU. These external video cards are very high capacity processors and they can perform these calculations very quickly.

So after performing a dictionary attack, they can go through and find common passwords like ninja, dragon, football, or let me in, and of course, are able to identify the hashes associated with all of those.

Well, if we’re going through every possible iteration in a brute force attack and creating hashes to compare, one of the things you might want to do is save all of those hashes and simply do a quick search of those hashes in the future. This type of database that contains a massive number of hashes that was created earlier is called a rainbow table. This is an optimized table. You’re able to search through it very, very quickly. And you’re able to find passwords almost instantly on many of these types of rainbow tables.

Because you don’t have to go through the calculation process of creating the hash, especially with longer types of passwords, this type of rainbow table can be an almost instantaneous lookup to find all of the passwords that might exist in a single set of hashes.

The challenge with rainbow tables is that each type of application or operating system may use a different method to create that hash. And if that is the case, then you’ll have to have different rainbow tables that are specific to that particular application or that particular operating system. Another technique that all programmers should use when they’re storing these passwords is to include a salt.

A salt is a little bit of extra random data added to the password before it is hashed. This means that if two users happen to be using exactly the same password, the hash that’s stored in the password table is going to be different between the two even though their password is exactly the same because a different type of random salt was added to each one of those user’s passwords. This means that any pre-built tables like rainbow tables will not work if all of these passwords have been salted because there’s this randomness that has been added to every single password.

Although this doesn’t completely stop the brute force process, it does slow things down and requires that the attacker know exactly how the salt has been implemented so that it can then process and begin the brute forcing of those passwords. Let’s see what the hash looks like when we take a single password like the word dragon and we add a bit of salt to it. This is the hash you would see if there was no salt added to the password.

We’re going to take the password dragon and we’ll add a different set of random salt for each individual user. You’ll notice the hash for every single one of these users is very, very different even though they’re password is exactly the same. This makes it very difficult for an attacker because they’ll look at this hash and they’ll have no idea that any of this information happens to be identical.

A good example of what happens when attackers are able to get their hands on these hash passwords occurred in January of 2019 when a large collection of passwords was released called collection number one. This consisted of over 12,000 files and 87 gig of data. Within collection number one was over 1.1 billion unique emails and passwords. This was a very large data breach. And within the collection, there were 772 million unique usernames across many different accounts.

This meant that there could be as many as 773 million people that were affected by this data breach. Although there were over one billion unique emails and passwords, there were only 21 million unique passwords in this entire group. This is another good reason why you might want to have a password manager that makes a different password for every single one of your accounts.

If you’re interested in knowing if you were part of this data breach, you can go to this website, which is a legitimate and well trusted website in the industry called haveibeenpwned.com. This site allows you to simply put in your email address. And it will tell you if that address is part of one of many different breaches. And they’re always adding new breaches to the list. So this should be a site that you’re always going back to to see if maybe your username and password may have been released.