Page 1045 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1045
Longer and more complex passwords take more time and are costlier
to crack than simple passwords. As the number of possibilities
increases, the cost of performing an exhaustive attack goes up. In
other words, the longer the password and the more character types it
includes, the more secure it is against brute-force attacks.
Passwords and usernames are typically stored in an account database
file on secured systems. However, instead of being stored as plain text,
systems and applications commonly hash passwords, and only store
the hash values.
The following three steps occur when a user authenticates with a
hashed password.
1. The user enters credentials such as a username and password.
2. The user’s system hashes the password and sends the hash to the
authenticating system.
3. The authenticating system compares this hash to the hash stored in
the password database file. If it matches, it indicates the user
entered the correct password.
This provides two important protections. Passwords do not traverse
the network in clear text, which would make them susceptible to
sniffing attacks. Password databases do not store passwords in clear
text, which would make it easier for attackers to discover the
passwords if they gain access to the password database.
However, password attacker tools look for a password that creates the
same hash value as an entry stored in the account database file. If
they’re successful, they can use the password to log on to the account.
As an example, imagine the password IPassed has a stored hash value
of 1A5C7G hexadecimal (though the actual hash would be much
longer). A brute-force password tool would take these steps:
1. Guess a password.
2. Calculate the hash of the password.
3. Compare the calculated hash against the stored hash in the offline
database.
