in your it career there is a possibility that you could run across an application that stores credentials like usernames and passwords in a non-encrypted form we often refer to this as in the clear although this is rare this is something that could be a significant security concern this is why we always say to never store passwords as the plain text of the password someone can gain access to the files or databases where those credentials are stored and at that point they would easily have everyone's username and password in plain text and they can begin taking advantage of that information immediately if you're using an application that is storing this information as plain text your only good option is to stop using that application perhaps reaching out to the application developer might be an option but this will require a rewrite to be able to save your passwords in a form that's more secure instead of storing these passwords as plain text all of these passwords should be stored as a hash we've discussed an overview of hashing in previous videos but in this video I want to drill down into how hashes and passwords are so closely related when we're storing information as a hash we're taking a variable length input and representing it as a fixed length string of text you'll often hear this referred to as a message digest or a fingerprint another interesting characteristic of hashing is if you have a different input into the hashing algorithm you will have a very different output this means that everyone with a different password will have a very different hash that is stored in the database and perhaps from a password perspective the most important characteristic is there's no way to reverse engineer the password once it's stored as a hash just as the fingerprints on your hand can't be used to reconstruct an entire person you can't somehow reconstruct a password when you only have the hash of that password here's an example of what these password passwords would look like if we stored them with a hash instead of storing them with the plain text on the left side of this list are the passwords and on the right side is a hash that's been created with the shaw 256 hashing algorithm you can see that the password of 1 2 3 4 5 6 is stored as this hash and the password of 1 2 3 4 5 67 appears to be a very different hash notice that although the password itself is only one character difference between the two the two different hashes are very different from each other if we were to look at the section of an operating system or the file where these credentials are saved you may be able to see the usernames associated with these accounts but notice that the hash that is stored for each one of these accounts is very different from each other and none of it contains the original plain text you may have run into a scenario where you've forgotten your password and you try a number of different options for logging in but after the fourth or fifth try of an incorrect password your account is locked out sometimes for a certain amount of time or sometimes you would need to call to have this account re-enabled the attackers would love to try guessing at what your password might be but they don't want to guess so many times that they also might cause a lockout so instead they might try the most common passwords this is a list of the top five most common passwords as found on Wikipedia and they're passwords you might expect passwords like 1 2 3 456 1 2 3 456789 querty password and 1 2 3 4 5 6 7 although it may seem obvious that people shouldn't use these types of passwords unfortunately people all to commonly use these very common passwords when securing their accounts so all an attacker would need to do is to try perhaps maybe the top three passwords on this list and if they don't gain access to the account they'll simply move on to the next one on their list so the attacker will try to find these accounts that have very weak passwords and it might try three attempts and and once it uses those three attempts it moves on to the next account this means there won't be any lockouts there won't be any alarms or notices in a security report and they can effectively try this online Brute Force attack without raising any type of notice we refer to this type of attack as a spraying attack and if an attacker wants to Simply find those accounts that might be available using these common passwords this is a good way to accomplish that without raising any suspicion you can think of a spraying attack as the beginnings of what could potentially be a Brute Force attack but a Brute Force attack would be trying many different iterations of passwords to try to find the right one in many cases the attackers will go through every possible combination of letters numbers and special characters until they can find every password in that password list as you can imagine stepping through every possible iteration of a password is very timec consuming and if the hashes have been saved with a strong hashing algorithm and the passwords M themselves are quite long this could take quite a bit of time to Brute Force here's the process that an attacker goes through when trying to brute force a password they have already received the hash they might have received this as part of a file that was downloaded or they were able to obtain the hash in other ways this hash doesn't contain any information that can tell us what the password is so we'll now start the Brute Force we'll start with the password aaaaa and we'll look at the hash for that password if that hash matches the hash that was from our password file then we've just found the right password in this particular case it does not so we will go to the next possible iteration which is a AAA and we can see that that hash also does not match the password we'll go to the next one on our list and we'll keep iterating through every possible combination eventually the attacker will come across a hash that finally matches the hash that was stored in the password file in this particular case the password that the attacker was looking for is literally the word password as we've already mentioned it's very common for accounts to automatically lock themselves when too many incorrect password attempts are made and that's why a Brute Force attack online is going to be very slow because you'll only be able to make a request to this perhaps once or twice a day and of course you do have the concern that eventually this account will be locked out instead the way that most attackers handle a brute force is to download the file that contains all of that password information very often it looks something like this where there would be a list of usernames perhaps a Name ID or group ID and then the hashed password itself once the attacker is offline there's no concern that an account might be locked out they can perform as many Brute Force attacks as they would like over whatever time frame that they would like as long as the attacker has enough time and enough computational resources they can try every possible hash till they come across one that matches the information that's stored in the password file itself