https://thehackernews.com/2025/02/three-passw...

Passwords are rarely appreciated until a security breach occurs; suffice to say,
the importance of a strong password becomes clear only when faced with the
consequences of a weak one. However, most end users are unaware of just how
vulnerable their passwords are to the most common password-cracking methods. The
following are the three common techniques for cracking passwords and how to
defend against them.
Brute force attack#

Brute force attacks are straightforward yet highly effective techniques for
cracking passwords. These attacks involve malicious actors using automated tools
to systematically try every possible password combination through repeated login
attempts. While such tools have existed for years, the advent of affordable
computing power and storage has made them even more efficient today, especially
when weak passwords are used. How it works#

When it comes to brute force attacks, malicious actors employ a range of
tacticsΓÇöfrom simple brute force attacks that test every possible password
combination to more nuanced approaches like hybrid and reverse brute force
attacks. Each method has a distinct strategy behind it, but the motives behind
brute force attacks are the same: to gain unauthorized access to protected data
or resources.

Some popular automated tools for carrying out brute force attacks include:

    John the Ripper: a multiplatform password cracker with support for 15
different operating systems and hundreds of hashes and cipher types
    L0phtCrack: a tool that uses rainbow tables, dictionaries, and
multiprocessor algorithms to crack Windows passwords
    Hashcat: a cracking/password recovery utility that supports five unique
modes of attack for over 300 highly-optimized hashing algorithms

Examples#

Back in August 2021, U.S. mobile operator T-Mobile fell victim to a data breach
that started with a brute force attack. The security compromise resulted in the
exposure of over 37 million customer records containing sensitive data like
social security numbers, driver's license information, and other personally
identifiable data.
Defense measures#

Users should choose strong, complex passwords and multi-factor authentication
(MFA) to protect against brute force attacks. Administrators should implement
account lockout policies and continuously audit their Windows environments for
weak and breached passwords. Tools like Specops Password Auditor can automate
these processes across expansive IT environments. Dictionary attack#

In a password dictionary attack, cyber attackers try to gain access by using a
list of common passwords or words from a dictionary. This predefined word list
typically includes the most often used words, phrases, and simple combinations
(i.e., "admin123". Password dictionary attacks underscore the importance of
complex, unique passwords, as these attack types are especially effective
against weak or easily guessable passwords. How it works#

The process starts with compiling a list of potential passwords from data
breaches, common password lists, or publicly available resources. Using an
automated tool, malicious actors perform a dictionary attack, systematically
testing each password against a target account or system. If a match is found,
the hacker can gain access and carry out subsequent attacks or movements.
Examples#

Malicious actors used password dictionaries to crack hashed passwords in several
high-profile security incidents, such as the 2013 Yahoo data breach and the 2012
LinkedIn data breach. This allowed them to steal the account information of
billions of users.
Defense measures#

When creating or resetting passwords, users should use a combination of letters,
numbers, and special characters, and avoid using common words or easily
guessable phrases. Administrators can implement password complexity requirements
in their policies to enforce these mandates across the organization.
Rainbow table attacks#

A rainbow table attack uses a special table (i.e., a "Rainbow Table) made up of
precomputed strings or commonly used passwords and corresponding hashes to crack
the password hashes in a database. How it works#

Rainbow table attacks work by exploiting chains of hashing and reduction
operations to efficiently crack hashed passwords. Potential passwords are first
hashed and stored alongside their plaintext counterparts in the rainbow table,
then processed with a reduction function that maps them to new values, resulting
in a chain of hashes. This process is repeated multiple times to build the
rainbow table. When hackers obtain a hash list, they can reverse lookup each
hash value in the rainbow tableΓÇöonce a match is identified, the corresponding
plaintext password is exposed. Examples#

While salting (a method of adding random characters to passwords before hashing)
has reduced the effectiveness of rainbow table attacks, many hashes remain
unsalted; additionally, advances in GPUs and affordable hardware have eliminated
the storage limitations once associated with rainbow tables. As a result, these
attacks continue to be a likely tactic in current and future high-profile
cyber-attacks.
Defense measures#

As mentioned previously, salted hashes have significantly reduced the
effectiveness of precomputed tables; organizations should therefore implement
strong hashing algorithms (e.g., bcrypt, scrypt) in their password processes.
Administrators should also regularly update and rotate passwords to reduce the
likelihood of rainbow table dictionary matches/hits.

In short, passwords aren't perfect, but complex and sufficiently long
passphrases remain a vital first line of defense against advanced
password-cracking techniques. Tools like Specops Policy provide an extra layer
of protection by continuously scanning Active Directory against a database of
over 4 billion breached passwords.

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/14)