0 / 10 flipped
Plaintext Password Storage
Tap to reveal
Storing passwords "in the clear" β in their original, unencrypted form, exactly as the user typed them. Any party with read access to the password file or database immediately holds every user credential with no further effort. No cracking, decryption, or computation is required. If an application stores passwords as plaintext, the only remediation is to replace or completely redesign it β no patch can fix a fundamental architectural flaw. The consequence of a breach is total and instantaneous. Exam rule: plaintext storage is never acceptable. The answer to "what should be done?" is always "use hashing."
Password Hashing
Tap to reveal
The standard practice of applying a one-way cryptographic function to a password before storage, producing a fixed-length message digest (fingerprint). The original password cannot be recovered from the digest β this property is called pre-image resistance. When a user authenticates, the system hashes the submitted password and compares the result to the stored digest. Different passwords always produce different hashes (collision resistance). Even if an attacker steals the hash database, they cannot read passwords β they must brute-force each hash individually by computing candidate hashes and comparing them. Key algorithms: SHA-256 (fast, use with salting); bcrypt, Argon2 (intentionally slow β best for passwords).
Password Spraying
Tap to reveal
An authentication attack that tests a small number of common passwords across a large number of accounts β specifically designed to stay below the per-account lockout threshold on every account. The attacker tries "123456" against 800 accounts (one attempt each), then "password" against the same 800 accounts (two attempts each total) β no account reaches its lockout threshold of 5. No lockouts. No alerts. No security reports. The attack succeeds when any account in the population uses a common password. Top targets: 123456, 123456789, qwerty, password, 1234567. Primary defense: MFA β a correct password alone is insufficient.
Online Brute Force Attack
Tap to reveal
A brute force attack conducted against a live authentication endpoint β submitting password guesses directly to the login system over the network, one attempt at a time. Constraints: each attempt requires a network round-trip (slow); accounts typically lock after 3β10 failed attempts; every failed attempt is logged and may trigger alerts. Online brute force is the least practical attack form in modern environments precisely because lockout policies and monitoring are designed to stop it. Speed: limited to perhaps 1β2 attempts per day on a well-secured system with lockout. Primary defense: account lockout policy and rate limiting.
Offline Brute Force Attack
Tap to reveal
A brute force attack conducted against a locally downloaded copy of a stolen password hash file, with no interaction with the victim's authentication system. The attacker computes candidate password hashes on their own hardware and compares results to stored digests. No network required. No lockout risk. No logging at the victim system. Speed is limited only by hardware β a GPU can compute tens of billions of SHA-256 hashes per second. Prerequisite: the attacker must first acquire the hash file (via DB breach, insider, or backup exposure). Primary defenses: slow hashing (bcrypt/Argon2) and salting; MFA ensures even a cracked password cannot authenticate alone.
Password File
Tap to reveal
The file or database table that stores user credentials in hashed form, paired with usernames. The primary target for offline brute force attacks β obtaining it removes all authentication system constraints. Platform locations: Linux:
/etc/shadow (root-readable only); Windows: SAM database / NTDS.dit (Active Directory); web applications: database users table. The content typically includes: username, password hash, salt (if used), and metadata. Attack implication: any breach that exposes the password file enables unrestricted offline cracking. Protecting the password file with strict access controls is a secondary defense behind strong hashing.Pre-image Resistance
Tap to reveal
A required property of cryptographic hash functions: given only a hash output (digest), it is computationally infeasible to find any input that produces it. This is the core property that makes hashing safe for password storage. An attacker who has the hash cannot work backward to determine the password β they can only test candidate passwords forward through the hash function (brute force). Pre-image resistance is what distinguishes hashing from encryption: encrypted data can be decrypted with the key; a hash cannot be "undone" regardless of resources available. Contrast: collision resistance = can't find two inputs with same hash (birthday attack topic). Pre-image resistance = can't reverse one hash to its input.
Salting
Tap to reveal
Adding a unique random value (salt) to each user's password before hashing it. The salt is stored alongside the hash. Effect: two users with identical passwords produce completely different stored hashes. This defeats rainbow table attacks (precomputed hash-to-password lookup tables) because the attacker would need to build a separate table for every possible salt value. Salting also prevents an attacker from cracking all instances of the same password simultaneously β each account must be attacked individually. Important distinction: salting doesn't make hashing slower β that's the job of the algorithm (bcrypt, Argon2). Salting prevents precomputation and batch cracking. Both are needed together.
Account Lockout Policy
Tap to reveal
An authentication control that locks a user account after N consecutive failed login attempts, preventing further attempts for a set duration or until administrator intervention. The primary defense against online brute force β by limiting attempts to 3β10 before lockout, the policy makes systematic password guessing against a live endpoint operationally infeasible. What it does NOT stop: (1) Password spraying β which explicitly limits attempts per account to stay below the threshold; (2) Offline brute force β which never makes login attempts against the live system. Exam tip: lockout defends against online brute force; MFA defends against everything including spraying and offline attacks.
Defense Summary β Password Attacks
Tap to reveal
Against plaintext storage: never store passwords as plaintext; hash with a strong algorithm; replace the application if it stores in the clear. Against spraying: MFA (primary); block common passwords at creation; monitor for distributed failed login patterns. Against online brute force: account lockout policy; rate limiting; MFA. Against offline brute force: slow hashing algorithm (bcrypt, Argon2); salting (defeats rainbow tables); protect the hash file; MFA (cracked password alone is insufficient). Universal: MFA is the only control effective against all four attack types β it renders the password alone insufficient regardless of how it was obtained or whether it was cracked.