Dictionary Attack
The attacker has a list of commonly used words and/or passwords that they test against the target. Quick to hash and compare, these will become stronger as more password lists are released on the internet.
Rainbow Table
Rainbow tables are hash tables that have been computed in certain algorithms for specific character sets (upper and lowercase letters, numbers, special characters, etc). There are many places that host these lists online such as http://project-rainbowcrack.com/table.htm
Hash Salting
At its simplest, salting a hash means that an extra string is attached to the password before it is hashed. Salts are stored with the hashes because the salt is required to compute and compare the hash.
 |
| Source |
This effectively eliminates the use of rainbow tables in hash attacks, because all the precomputed hashes are useless if there is a long salt string attached to the password prior to hashing. Even a weak password will be immune to rainbow table attacks as long as the salt is strong enough.
Hybrid Attack
As password lists become more commonplace, attackers will be able to develop smart algorithms that are part dictionary and part brute force. Analyzing password lists and trends allows rule sets to be developed that can severely reduce the amount of combinations needed for a password attack. Just off the top of my head, I might design a rule that computes hashes of two word passwords using camel case, replace I's for 1's and other common '1337' speak substitutions, etc.
No comments:
Post a Comment