an attacker loves applications that store passwords as plain text they take the password they store it in a readable format in a database and if the attacker finds this database then they have access to everyone's usernames and passwords without any additional work obviously if you are storing login credentials you don't want to store any passwords as plain text fortunately this is a very unusual situation if you ever run into it but there are the rare applications that tend to save these passwords in a form that is readable to anyone unfortunately if you run into one of these situations you don't have much of a choice you need to stop using that particular application or find an upgrade to that application that doesn't store any of these passwords as plain text in the database well if you don't store password as plain text how should you store passwords the best way to store a password is in a format that uses a hash this hashing of a password takes the password and represents the password as a string of text information we call this a message digest you'll sometimes hear this referred to as a fingerprint the idea with a hash is you can provide an input to the hash like your password and the resulting hash is something that is very unique so hashes will not be duplicated on a system and they'll be very specific to a particular password the reason a hash makes such a perfect place to store a password is that it is a one-way trip it's a cryptographic algorithm that cannot be reversed so once you create the hash of a password you can't somehow restore that password back to its original format by simply using the hashed value here's an example of some hashes that i've created from some very common passwords this hashing algorithm is the sha 256 hashing algorithm it's a very common one to find here's some passwords that i've hashed if you hash one two three four five six with shot 256 you get this message digest you'll notice this is very different than the one two three four five six you're not able to tell what this password might be by looking at the hash and there's no way to reverse the hash back to that original password i've also got hashes here for one two three four five six seven for the word queerty and the word password you'll notice that all these hashes are the same length but all of them are very very different than the original passwords that were used as the input inside of the application or the operating system that you're using you'll often have a password file that then has the usernames for the user and then the hash that is created from the password for each individual account instead of trying to brute force the hash and determine what the original password might have been some attackers will use a spraying attack a spring attack avoids the results of a locked account for trying the wrong password over and over again without success instead a spring attack is going to try to use some very common passwords and only try a few of them before moving on a good example of some of these common passwords can be found on wikipedia under the list of the most common passwords and the top five passwords i put right here which are one two three four five six one two three four five six seven eight nine qwerty password and one two three four five six seven probably not unusual that these would be the top 5 passwords that someone would try to use so an attacker using a spraying attack would try an account name and then they might try the top three of these top passwords to see if any one of those happen to be in use if they gain access by using these top passwords they can then continue their attack if they do not gain access by using these top passwords then they stop what they're doing they move on to the next account and they try these top three passwords again by only trying a few passwords for a single account they can often avoid any alarms alerts or account lockouts that might signal that somebody's trying to break into these accounts some attackers though are interested in obtaining the username and password of every account on a system and if they want to be able to determine what those passwords are then they'll need to perform a brute force attack against every account a brute force attack is going to try every combination of letters numbers special characters or anything that could make up a password and it's going to try every combination of those for a single account until it finds a matching password this can obviously take some time if it's a very long password you have to go through a lot more iterations to be able to find that and if you're starting with the hash of a password then you also have to perform that hash so that you can then compare the hashes to see if you found a match let's say that attacker has gained access to a system and they've downloaded the password file that contains usernames and password hashes now they happen to have one of the hashes associated with a particular user and they would like to perform a brute force attack to find the password associated with that hash they'll start at the very beginning of what possible passwords might be and the beginning here would be the password aaa they'll perform a hash of that password and they'll get the resulting hash value they'll then compare that hash value to the hash value they're trying to match they'll see that those don't match so they'll go to the next password on their list which is aaab they'll perform a hash of that password they'll compare that hash to the hash they're trying to match and so on until they find one that matches they may have to go through a very long list but eventually they'll come up with the combination of letters that makes up the word password they'll perform a hash of password they'll get the hash value and they'll see that the hash value of password matches the hash they were looking for therefore the password associated with this account is the word password if an attacker was trying to do this online it would obviously be a very slow process as they were typing in a username and a password and there's probably going to be delays as they try each wrong password and very quickly they're going to lock out this account because they're going to try three five or seven passwords before the account is automatically disabled for brute force attacks it's usually more common for the attacker to have already downloaded the password file they can then perform an offline attack of those hashes where they can programmatically step through every possible combination and do it very quickly on their local machine this obviously requires a lot of computational requirements on the local computer but allows them to go very quickly through this list of passwords it obviously takes a long time to incrementally go through every possible combination of letters and numbers and special characters so instead of going through all of those some attackers will use a subset of those that you might find in a dictionary we call this a dictionary attack where we can use common words taken from a dictionary and see if those happen to be the passwords that we're looking for you'll find a lot of different kinds of dictionaries on the internet especially some groups of passwords that are unique to a particular type of job for example there might be a medical dictionary where there are a lot of medical phrases that you can use for passwords that may be from a hospital or an insurance company these dictionary related brute force programs can also perform letter substitutions so if you're using the word password as your password but you're changing the letter a to the ampersand and the letter o to the number zero these programs are already expecting you to do that and they'll try those combinations as they go through the dictionary attack this type of cracking can take quite a bit of time as it goes through all of these different words and combinations of letter substitutions it's not unusual for attackers to use a distributed cracking format where multiple systems might be used they might also take advantage of the high-speed cpus that you might find in a graphical processing unit or gpu these external video cards are very high capacity processors and they can perform these calculations very quickly so after performing a dictionary attack they can go through and find common passwords like ninja dragon football or let me in and of course are able to identify the hashes associated with all of those well if we're going through every possible iteration in a brute force attack and creating hashes to compare one of the things you might want to do is save all of those hashes and simply do a quick search of those hashes in the future this type of database that contains a massive number of hashes that was created earlier is called a rainbow table this is an optimized table you're able to search through it very very quickly and you're able to find passwords almost instantly on many of these types of rainbow tables because you don't have to go through the calculation process of creating the hash especially with longer types of passwords this type of rainbow table can be an almost instantaneous lookup to find all of the passwords that might exist in a single set of hashes the challenge with rainbow tables is that each type of application or operating system may use a different method to create that hash and if that is the case then you'll have to have different rainbow tables that are specific to that particular application or that particular operating system another technique that all programmers should use when they're storing these passwords is to include assault assault is a little bit of extra random data added to the password before it is hashed this means that if two users happen to be using exactly the same password the hash that's stored in the password table is going to be different between the two even though their password is exactly the same because a different type of random salt was added to each one of those users passwords this means that any pre-built tables like rainbow tables will not work if all of these passwords have been salted because there's this randomness that has been added to every single password although this doesn't completely stop the brute force process it does slow things down and requires that the attacker know exactly how the salt has been implemented so they can then process and begin the brute forcing of those passwords let's see what the hash looks like when we take a single password like the word dragon and we add a bit of salt to it this is the hash you would see if there was no salt added to the password we're going to take the password dragon and we'll add a different set of random salt for each individual user you'll notice the hash for every single one of these users is very very different even though their password is exactly the same this makes it very difficult for an attacker because they'll look at this hash and they'll have no idea that any of this information happens to be identical a good example of what happens when attackers are able to get their hands on these hash passwords occurred in january of 2019 when a large collection of passwords was released called collection number one this consisted of over 12 000 files and 87 gig of data within collection number one was over 1.1 billion unique emails and passwords this was a very large data breach and within the collection there were 772 million unique usernames across many different accounts this meant that there could be as many as 773 million people that were affected by this data breach although there were over 1 billion unique emails and passwords there were only 21 million unique passwords in this entire group this is another good reason why you might want to have a password manager that makes a different password for every single one of your accounts if you're interested in knowing if you are part of this data breach you can go to this website which is a legitimate and well trusted website in the industry called have ibinponed.com this site allows you to simply put in your email address and it will tell you if that address is part of one of many different breaches and they're always adding new breaches to the list so this should be a site that you're always going back to to see if maybe your username and password may have been released