Page 1049 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1049

and calculating hashes. It simply compares the hashes until it finds a
               match. This can significantly reduce the time it takes to crack a

               password.



                          Many different rainbow tables are available for free

                  download, but they are large. For example, an MD5-based rainbow

                  table using all four character types for an eight-character password
                  is about 460 gigabytes in size. Instead of downloading these tables,
                  many attackers create their own using tools such as rtgen
                  (available in Kali Linux) and scripts freely available on the
                  internet.



               Many systems commonly salt passwords to reduce the effectiveness of
               rainbow table attacks. A salt is a group of random bits added to a
               password before hashing it. Cryptographic methods add the additional

               bits before hashing it, making it significantly more difficult for an
               attacker to use rainbow tables against the passwords. Bcrypt and
               Password-Based Key Derivation Function 2 (PBKDF2) are two
               commonly used algorithms to salt passwords.

               However, given enough time, attackers can still crack salted passwords
               using a brute-force attack. Adding a pepper to a salted password
               increases the security, making it more difficult to crack. Salts are

               random numbers stored in the same database holding the hashed
               passwords, so if an attacker gets the database, the attacker also has the
               salts for the passwords. A pepper is a large constant number stored
               elsewhere, such as a configuration value on a server or a constant
               stored within application code.

               While the practice of salting passwords was specifically introduced to
               thwart rainbow table attacks, it also thwarts the effectiveness of offline

               dictionary and brute-force attacks. These offline attacks must calculate
               the hash of the guessed passwords, and if the stored passwords include
               salts, the attacks fail unless they also discover the salt. Again, the use
               of a pepper stored outside the database holding the salted, hashed
               passwords makes all of these attacks even more difficult.
   1044   1045   1046   1047   1048   1049   1050   1051   1052   1053   1054