🔒

Password Security and Cracking Techniques Overview

Feb 6, 2025

View transcript

Lecture Notes: Password Security and Cracking Techniques

Overview

  • Password topic is vast and complex.
  • Focus on different methods of password cracking and security measures.

Password Cracking Techniques

Online Brute Force

  • Direct interaction with authentication server.
  • Attempts every possible password combination.
  • Impractical due to time consumption and detection.

Offline Attacks

  • Obtain password hashes from server.
  • Crack them on personal machine.

Password Storage and Hashes

  • Passwords are stored as hashes, not in clear text.
  • Hash: A fixed length, unique output from a mathematical operation on input data.
  • Hashes are one-way functions.

Common Password Cracking Tools

  • Medusa: Brute force tool for specific services using modules.
  • Hydra: Supports multiple services for brute force attacks.
  • John the Ripper: Brute force utility.
  • Hashcat: Advanced tool with support for various hash types and attack modes.

Dictionary and Hybrid Attacks

  • Use word lists or dictionaries to guess passwords.
  • Hybrid approach combines dictionary words with character sets.

Issues with Online Attacks

  • Detection due to high number of failed login attempts.
  • Delays or account bans after multiple failed attempts.

Understanding Hash Collisions

  • Hash collisions: Different inputs producing the same hash output.
  • Birthday Paradox: Statistical likelihood of hash collisions.
  • Implications for password and file security.

Rainbow Tables

  • Pre-computed hashes for character combinations.
  • Huge databases shifting effort from computing to searching.
  • Mitigation: Use long passwords or passphrases; however, hash collisions still possible.

Password Salting

  • Adding a "salt" to passwords before hashing to prevent rainbow table attacks.
  • Salts stored on server; make rainbow tables ineffective.
  • Example: Adding a suffix to the password before hashing.

Generating and Using Rainbow Tables

  • RTGen: Tool for generating rainbow tables.
  • Tables can be sorted for faster searching.
  • Use caution due to large size and computational requirements.

Hashcat Demonstration

  • Cracking passwords using word lists and brute force.
  • GPU use recommended for faster processing.
  • Exhaustive methods can take years for complex passwords.

Horizontal Brute Force Attacks

  • Password Spraying: Trying common passwords across multiple usernames.
  • Credential Stuffing: Using known user-password combinations across different services.

Important Concepts for Exam

  • Understand brute force and hashing principles.
  • Recognize types and implications of hash-related attacks.
  • Comprehend password salting and its significance.

Conclusion

  • Comprehension of password security is crucial.
  • Exam will cover various aspects of password attacks and defenses.

Additional Resources

  • Watch related videos or tutorials for deeper understanding.
  • Practice using tools in a safe, controlled environment to solidify learning.

Full transcript