Chapter 53 Β· Concepts

Password Attack Concepts

Attack type quick-reference, plaintext vs. hashed storage comparison, spraying attack flow, online vs. offline brute force, and defense stack in structured reference format.

Password Attacks β€” Quick Reference

AttackTargetMechanismRequires Live System?Primary Defense
Plaintext ExposureCredential databaseRead stored passwords directly β€” no cracking neededNo (file access only)Never store passwords as plaintext; use hashing
Password SprayingAuthentication endpointFew passwords Γ— many accounts β€” stays below lockout thresholdYesMFA; common-password blocklist; distributed failure monitoring
Online Brute ForceAuthentication endpointSystematically tries passwords against live login; one account at a timeYesAccount lockout policy; rate limiting; MFA
Offline Brute ForceStolen hash fileComputes hashes locally; compares to stored digests; no system interactionNo (hash file only)Strong slow hashing (bcrypt/Argon2); salting; MFA

Password Storage β€” Plaintext vs. Hashed

The single most important design decision in credential storage is whether passwords are hashed before storage. The difference in security outcome is absolute β€” not a matter of degree.

AttributePlaintext StorageHashed Storage
What is storedThe password as typed: Sunflower2019Fixed-length digest: 8c6976e5b5410415...
Reversible?Yes β€” it is the passwordNo β€” one-way transformation; mathematically infeasible to reverse
Impact of database breachAll credentials immediately usable; no further effort requiredAttacker must crack each hash individually β€” time and compute required
Authentication methodCompare stored password to inputHash the input; compare digest to stored digest
Exam verdictNever acceptable; replace the applicationRequired minimum; use strong algorithms with salting

Key hash property for password storage: pre-image resistance. Given only the hash output, it is computationally infeasible to determine the input. This means stored digests are useless to an attacker without brute forcing β€” which is why algorithm choice (MD5 vs. bcrypt) matters enormously for offline attack feasibility.

SHA-256 Hash Example β€” Avalanche Effect

The avalanche effect ensures that even a single character change in the input produces a completely different digest β€” making it impossible to infer anything about the original password from the hash:

PasswordSHA-256 Hash (stored)
1234568d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
12345678bb0cf6eb9b17d0f7d22b456f121257dc1254e1f01665370476383ea776df414
password5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Passworde7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a

One character change ("password" β†’ "Password") produces a completely different 256-bit hash. An attacker cannot use the hash to determine the password, its length, or any structural pattern. They can only test candidate passwords forward through the hash function.

Password Spraying β€” Attack Flow

Prerequisite: Attacker has a list of valid usernames β€” obtained via LDAP enumeration, email harvesting from company website, or public directory
Step 1 β€” Select spray password: Choose the single most common password: 123456. If any account uses this password, one attempt will find it
Step 2 β€” First pass across all accounts: Attempt 123456 against every account in the list. Each account receives exactly one failed attempt β€” well below any lockout threshold (typically 5–10)
Step 3 β€” No alerts, no lockouts: The authentication system sees distributed failures across many accounts β€” not concentrated failures on one account. Standard brute force detection based on per-account failure counts is not triggered
Step 4 β€” Second pass (if needed): Wait a period, then attempt password across all accounts β€” still only 2 total attempts per account
Step 5 β€” Hit: One account using 123456 grants access. The attacker has authenticated with one low-rate attempt β€” no lockout, no alert
Exam distinction: Spraying = few passwords Γ— many accounts. Traditional brute force = many passwords Γ— one account. Spraying is the lockout-evasion variant

Online vs Offline Brute Force β€” Decision Tree

ConditionOnline Attack AppliesOffline Attack Applies
Attacker can reach the login pageYesNot required
Attacker has the hash fileNot requiredYes β€” required prerequisite
Account lockout is enabledSeverely limits attackIrrelevant β€” no login attempts made
Strong hashing algorithm (bcrypt)No effectDramatically slows cracking β€” primary offline defense
MFA is enabledBlocks authentication even if password foundBlocks authentication even if hash is cracked
Salting is usedNo effectPrevents rainbow table use; forces per-account cracking

Hashing Algorithm β€” Impact on Offline Brute Force Speed

AlgorithmGPU Hashes/Second (approx.)Time to Try 1 Billion PasswordsSecurity Status
MD5~50 billion/sec (high-end GPU)< 1 secondBroken β€” never use for passwords
NTLM (Windows)~100 billion/sec< 1 secondWeak β€” legacy; avoid where possible
SHA-256~10 billion/sec~0.1 secondsBetter, but still fast β€” use salted with many iterations
bcrypt (cost 12)~20,000/sec~14 hoursGood β€” designed to be slow
Argon2id~1,000–10,000/secDays to monthsBest current standard β€” memory-hard

Speed figures are approximate for a single modern GPU; actual performance varies by hardware and implementation. The orders-of-magnitude difference between MD5 and bcrypt is what matters for exam purposes.

Defense Stack β€” Password Attacks

AttackPrimary DefenseSecondary Defenses
Plaintext storageNever store passwords as plaintext β€” use hashingReplace the application; migrate to hashed storage; force password reset after migration
Password sprayingMFA β€” even a correct password alone is insufficientBlocklist of common passwords at creation time; detect distributed failed login patterns across accounts
Online brute forceAccount lockout policy β€” locks after N consecutive failuresRate limiting; CAPTCHA; MFA; alerting on concentrated login failures
Offline brute forceStrong, slow hashing algorithm (bcrypt or Argon2)Salting (prevents rainbow tables); MFA (renders cracked hash useless); protect the hash file with strict access controls