Which of the following password attacks is MOST likely to crack the largest number of randomly generated passwords?
B. Birthday attack
D. Rainbow tables
Correct Answer: D
Section: Threats and Vulnerabilities
When a password is “tried” against a system it is “hashed” using encryption so that the actual password is never sent in clear text across the communications line. This prevents
eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your
password might be “shitzu” but the hash of your password would look something like “7378347eedbfdd761619451949225ec1”.
To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If
the hashes match, then the user is authenticated and granted access.
Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as
MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password.
Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The Rainbow Tables essentially allow
hackers to reverse the hashing function to determine what the plaintext password might be.
The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage
(sometimes Terabytes) to hold the Rainbow Tables themselves.
With a rainbow table, all of the possible hashes are computed in advance. In other words, you create a series of tables; each has all the possible two-letter, three-letter, four-letter, and
so forth combinations and the hash of that combination, using a known hashing algorithm like SHA-2. Now if you search the table for a given hash, the letter combination in the table
that produced the hash must be the password you are seeking.
A: A hybrid attack is a combination of dictionary and brute-force attacks. A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters
or numbers or even other words to the beginning or end of the password guesses. For example: from a password guess of ‘password multiple combinations could be created such as
‘password1, 1password, password2, 2password. However, a hybrid attack does not guess as many ‘random’ passwords as a rainbow tables attack.
B: A birthday attack is built on a simple premise. If 25 people are in a room, there is some probability that two of those people will have the same birthday. The probability increases as
additional people enter the room. It’s important to remember that probability doesn’t mean that something will occur, only that it’s more likely to occur. To put it another way, if you ask if
anyone has a birthday of March 9th, the odds are 1 in 365 (or 25/365 given the number of people in the room), but if you ask if anyone has the same birthday as any other individual,
the odds of there being a match increase significantly. Although two people may not share a birthday in every gathering, the likelihood is fairly high, and as the number of people
increases, so too do the odds that there will be a match.
A birthday attack works on the same premise: If your key is hashed, the possibility is that given enough time, another value can be created that will give the same hash value. Even
encryption such as that with MD5 has been shown to be vulnerable to a birthday attack. However, a hybrid attack does not guess as many ‘random’ passwords as a rainbow tables
C: A dictionary attack uses a dictionary of common words to attempt to find the user’s password. A dictionary attack can find passwords that are dictionary words but not passwords
that are random characters.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 256, 327