Page 1044 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1044
The following sections describe common password attacks using
dictionary, brute-force, rainbow tables, and sniffing methods. Some of
these attacks are possible against online accounts. However, it’s more
common for an attacker to steal an account database and then crack
the passwords using an offline attack.
Dictionary Attacks
A dictionary attack is an attempt to discover passwords by using every
possible password in a predefined database or list of common or
expected passwords. In other words, an attacker starts with a database
of words commonly found in a dictionary. Dictionary attack databases
also include character combinations commonly used as passwords, but
not found in dictionaries. For example, you will probably see the list of
passwords found in the published Ashley Madison accounts database
mentioned earlier in many password-cracking dictionaries.
Additionally, dictionary attacks often scan for one-upped-constructed
passwords. A one-upped-constructed password is a previously used
password, but with one character different. For example, password1 is
one-upped from password, as are Password, 1password, and
passXword. Attackers often use this approach when generating
rainbow tables (discussed later in this chapter).
Some people think that using a foreign word as a password
will beat dictionary attacks. However, password-cracking
dictionaries can, and often do, include foreign words.
Brute-Force Attacks
A brute-force attack is an attempt to discover passwords for user
accounts by systematically attempting all possible combinations of
letters, numbers, and symbols. Attackers don’t typically type these in
manually but instead have programs that can programmatically try all
the combinations. A hybrid attack attempts a dictionary attack and
then performs a type of brute-force attack with one-upped-constructed
passwords.
