Which of the following password attacks is MOST likely to crack the largest number of randomly
generated passwords?
A.
Hybrid
B.
Birthday attack
C.
Dictionary
D.
Rainbow tables
Explanation:
When a password is “tried” against a system it is “hashed” using encryption so that the actual password is
never sent in clear text across the communications line. This prevents eavesdroppers from intercepting
the password. The hash of a password usually looks like a bunch of garbage and is typically a different
length than the original password. Your password might be “shitzu” but the hash of your password would
look something like “7378347eedbfdd761619451949225ec1”.
To verify a user, a system takes the hash value created by the password hashing function on the client
computer and compares it to the hash value stored in a table on the server. If the hashes match, then the
user is authenticated and granted access.
Password cracking programs work in a similar way to the login process. The cracking program starts by
taking plaintext passwords, running them through a hash algorithm, such as MD5, and then compares the
hash output with the hashes in the stolen password file. If it finds a match then the program has cracked
the password.
Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are prematched to possible plaintext passwords. The Rainbow Tables essentially allow hackers to reverse the
hashing function to determine what the plaintext password might be.
The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared
with brute-force methods, however, the trade-off is that it takes a lot of storage (sometimes Terabytes)
to hold the Rainbow Tables themselves.
With a rainbow table, all of the possible hashes are computed in advance. In other words, you create a
series of tables; each has all the possible two-letter, three-letter, four-letter, and so forth combinations
and the hash of that combination, using a known hashing algorithm like SHA-2. Now if you search thetable for a given hash, the letter combination in the table that produced the hash must be the password
you are seeking.
Incorrect Answers:
A: A hybrid attack is a combination of dictionary and brute-force attacks. A dictionary attack uses a list of
words to use as passwords. The combination or hybrid attack adds characters or numbers or even other
words to the beginning or end of the password guesses. For example: from a password guess of
‘password multiple combinations could be created such as ‘password1, 1password, password2,
2password. However, a hybrid attack does not guess as many ‘random’ passwords as a rainbow tables
attack.
B: A birthday attack is built on a simple premise. If 25 people are in a room, there is some probability that
two of those people will have the same birthday. The probability increases as additional people enter the
room. It’s important to remember that probability doesn’t mean that something will occur, only that it’s
more likely to occur. To put it another way, if you ask if anyone has a birthday of March 9th, the odds are
1 in 365 (or 25/365 given the number of people in the room), but if you ask if anyone has the same
birthday as any other individual, the odds of there being a match increase significantly. Although two
people may not share a birthday in every gathering, the likelihood is fairly high, and as the number of
people increases, so too do the odds that there will be a match.
A birthday attack works on the same premise: If your key is hashed, the possibility is that given enough
time, another value can be created that will give the same hash value. Even encryption such as that with
MD5 has been shown to be vulnerable to a birthday attack. However, a hybrid attack does not guess as
many ‘random’ passwords as a rainbow tables attack.
C: A dictionary attack uses a dictionary of common words to attempt to find the user’s password. A
dictionary attack can find passwords that are dictionary words but not passwords that are random
characters.http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 256, 327