Password attacks #

• Brute-Force - Iterate through passwords until they find one that works
  • This can include using lists with generic commonly used passwords or tailored to the target
  • Many passwords attempts for a single user
• Password Spraying - a brute-force variation
  • Few passwords attempts but for many users
  • Example: On a sports fan website, most likely one user, uses the teams name or player as password
• Dictionairy Attacks - a brute-force variation
  • Uses a distinct list of words
• Popular Tool: John The Ripper and Tutorials
• Envirment
  • Online: Run and test passwords against life system with risk getting blocked/caught
  • Offline: You have the hashes or offline copy and you can in all peace go at it.
    • For example a precomputed list of hashes (Rainbow table attack)
      • Hash salts and peper is used to counter rainbow table attack