Chapter 53 Β· Glossary

Password Attacks Glossary

Key terms for plaintext storage, hashing, password spraying, and brute force attacks.

Password Attack
Any attack that targets credential-based authentication by attempting to discover, bypass, or exploit passwords. Password attacks include plaintext exposure (no cracking needed), spraying (common passwords across many accounts), and brute force (systematic iteration against hashed credentials). The attack surface spans both the authentication endpoint (online attacks) and the password storage mechanism itself (offline attacks against hash files). The effectiveness of any password attack depends on the strength of the password chosen by the user and the storage mechanism chosen by the developer.
Plaintext Password Storage ("In the Clear")
A critical vulnerability in which an application stores user passwords in their original, unencrypted form β€” exactly as the user typed them. Any party with read access to the password file or database table immediately obtains every user credential without any computation, decryption, or cracking effort. Although increasingly rare in modern systems, plaintext storage persists in legacy applications and certain poorly maintained systems. The only remediation is replacement of the application or complete redesign of the storage layer. It cannot be patched without a fundamental architectural change.
Hashing (Password Storage)
The standard practice of transforming a password through a one-way cryptographic function before storage, producing a fixed-length digest (message digest or fingerprint) that cannot be reversed to recover the original password. When a user later authenticates, the system hashes the submitted password and compares the result to the stored digest β€” if they match, the password was correct. The stored database contains only hash values, not passwords. This means an attacker who compromises the database must still crack each hash individually to obtain usable credentials, provided the hashing algorithm and implementation are strong.
Message Digest (Fingerprint)
The fixed-length output produced by a cryptographic hash function applied to an input of any length. Also called a fingerprint β€” analogous to a human fingerprint in that it uniquely identifies the input, can be used for verification, but cannot be used to reconstruct the original. A SHA-256 message digest is always 256 bits (64 hexadecimal characters) regardless of whether the input was one character or one gigabyte. In password storage, the message digest of the user's password is stored rather than the password itself. The term "message digest" is used interchangeably with "hash" in most security contexts.
Pre-image Resistance
A required property of cryptographic hash functions stating that given a hash output (digest), it is computationally infeasible to find any input that produces it. Pre-image resistance is the property that makes hashing viable for password storage: even if an attacker has the hash value, they cannot work backward to determine the original password. This is what distinguishes hashing from encryption β€” encrypted data can be decrypted with the key; a hash cannot be "decrypted" regardless of what resources are available. An attacker must instead resort to brute force (trying candidate passwords forward through the hash function) rather than working backward.
Password File
A file or database table that stores user credentials in hashed form, paired with usernames and often additional metadata. The specific structure and location vary by platform: Linux uses /etc/shadow (root-readable only); Windows stores credentials in the SAM database or NTDS.dit for Active Directory; web applications typically store them in a database users table. The password file is the primary target for offline brute force attacks β€” obtaining it removes the attacker from the constraints of the live authentication system (lockouts, logging, network latency) and enables unrestricted hash cracking using local computational resources.
Password Spraying
An authentication attack that attempts a small set of commonly used passwords across a large number of accounts, rather than many passwords against a single account. By limiting attempts per account to two or three β€” below any lockout threshold β€” spraying avoids triggering account lockouts, authentication alerts, or security reports. The attack relies on the statistical reality that in any large user population, a measurable percentage will have chosen one of the top five most common passwords. Password spraying is an online attack (it interacts with the live authentication system) but evades the defenses designed to stop brute force. MFA is the most effective countermeasure.
Brute Force Attack
A password attack that systematically tests every possible password combination β€” every permutation of characters up to a given length β€” until a match is found. Brute force is guaranteed to succeed given sufficient time and resources; the practical feasibility depends on password length, character set, hashing algorithm speed, and available computational power. Brute force attacks are categorized as online (against the live authentication endpoint β€” constrained by lockouts and latency) or offline (against a downloaded hash file β€” unconstrained). Modern offline brute force using GPUs can evaluate billions of hashes per second against weak hashing algorithms like MD5 or NTLM.
Online Brute Force Attack
A brute force attack conducted against a live authentication endpoint β€” submitting password guesses directly to the login system one at a time over the network. Online attacks are significantly constrained: each attempt requires a network round-trip, accounts often lock after three to ten failures, failed attempts are logged and can trigger alerts, and the attack speed is measured in attempts per minute rather than billions per second. As a result, online brute force is the least practical form of the attack. The primary defenses β€” account lockout policies and authentication rate limiting β€” are specifically designed to make online brute force infeasible.
Offline Brute Force Attack
A brute force attack conducted against a local copy of a stolen password hash file, with no interaction with the victim's authentication system. The attacker computes candidate password hashes locally and compares them to the stored hash values. Because no network is involved, there is no lockout risk, no logging at the victim system, and no rate limiting β€” the attack runs at the full speed of the attacker's hardware. GPU-accelerated cracking can evaluate hundreds of billions of MD5 hashes per second. The attack becomes possible the moment the hash file is exfiltrated; the primary defenses are algorithm strength (bcrypt, Argon2) and salting, which dramatically increase per-attempt computation time.
Salting
A defense against offline brute force and rainbow table attacks in which a unique, random value (the salt) is generated per user and appended or prepended to their password before hashing. The salt is stored alongside the hash. Because each user's hash is computed from a different input (password + unique salt), an attacker cannot use precomputed hash lookup tables (rainbow tables) β€” each account must be cracked individually. Salting does not change the hash algorithm or make the hash function slower; it ensures that identical passwords produce different stored hashes, and forces the attacker to perform a separate brute force campaign for each account rather than cracking all matching passwords simultaneously.
Account Lockout Policy
An authentication control that automatically locks a user account after a specified number of consecutive failed login attempts, preventing further authentication attempts for a defined period or until an administrator re-enables the account. Account lockout is the primary defense against online brute force attacks β€” by limiting an account to three to ten attempts before lockout, the policy makes systematic password guessing against a live endpoint operationally infeasible. Lockout does not protect against offline brute force (which never touches the authentication system) and is explicitly avoided by password spraying (which stays below the threshold per account). MFA is required to address the gaps lockout cannot cover.