This chapter covers password attacks, a critical topic for the SY0-701 exam under Objective 2.4 (Threats, Vulnerabilities, and Mitigations). Password attacks are among the most common and successful attack vectors, targeting the weakest link in authentication: user-chosen passwords. Understanding how these attacks work and how to defend against them is essential for any security professional. We will explore offline and online password attacks, including brute force, dictionary, rainbow tables, and credential stuffing, along with their mitigations.
Jump to a section
Imagine a high-security office building where employees use physical keys to enter. An attacker wants to gain unauthorized access. Instead of picking the lock (which is time-consuming and noisy), they find a way to copy a legitimate key. They might photograph the key from a distance, use a wax impression, or simply borrow the key momentarily and make a duplicate. The attacker then uses this copied key to enter the building as if they were an authorized employee. This is analogous to password attacks: the attacker obtains a copy of the password (the key) through various means—shoulder surfing, phishing, or stealing the password hash—and then uses it to authenticate as the legitimate user. The defense is to make keys hard to copy (complex passwords, MFA) and to detect when a key is being used in an unusual manner (anomaly detection). Just as a building might use electronic keycards that are harder to duplicate and can be revoked, systems should use strong authentication mechanisms that resist copying and replay.
What Are Password Attacks?
Password attacks are attempts by an adversary to obtain or guess a user's password to gain unauthorized access to systems, networks, or data. They exploit the fact that passwords are often weak, reused, or stored insecurely. On the SY0-701 exam, you need to know the different types of password attacks, how they work, and the controls that prevent them.
How They Work Mechanically
Password attacks can be classified as online or offline.
Online attacks involve guessing passwords against a live system. The attacker sends authentication requests to the target service (e.g., SSH, RDP, web login). Each attempt is processed by the server, which checks the password against its stored hash. Online attacks are slow because of network latency and can be detected by rate limiting or account lockout policies. Examples include brute force, dictionary attacks, and credential stuffing.
Offline attacks occur when the attacker has obtained the password hash file (e.g., from a compromised database or a Windows SAM file). The attacker can then attempt to crack the hashes on their own machine at high speed, without interacting with the live system. This allows millions of attempts per second. Offline attacks are more dangerous because they are not limited by server-side controls. Examples include brute force against hashes, rainbow table attacks, and rule-based attacks.
Key Components and Variants
Brute Force Attack: Tries every possible combination of characters until the correct password is found. For a password of length L with a character set of size C, there are C^L possibilities. This is computationally expensive and time-consuming for long, complex passwords. On the exam, know that brute force is the most comprehensive but slowest method.
Dictionary Attack: Uses a list of common passwords (dictionary) to guess the password. It is faster than brute force because it only tries likely passwords. The attacker may use a wordlist like rockyou.txt (contains 14 million passwords from a real breach).
Rainbow Table Attack: Uses precomputed tables of hash values for common passwords to reverse a hash quickly. The table maps plaintext passwords to their hashes. Instead of computing the hash for each guess, the attacker looks up the hash in the table. This is faster than brute force but requires large storage. Mitigation is salting—adding a random value to the password before hashing, which makes rainbow tables ineffective because the same password with different salts produces different hashes.
Credential Stuffing: Uses username/password pairs obtained from one breach (e.g., a social media site) and tries them on other services (e.g., bank, email). This exploits password reuse. The attack uses automated tools to test credentials against multiple services.
Password Spraying: Tries a small number of common passwords (e.g., "Password123") against many accounts to avoid lockout. Instead of trying many passwords for one user, the attacker tries one password for many users. This bypasses account lockout policies that trigger after a few failed attempts per user.
Hybrid Attack: Combines dictionary and brute force. For example, appending numbers or special characters to dictionary words (e.g., "password1!").
Pass-the-Hash: An attack on Windows networks where the attacker captures the NTLM hash of a user's password and uses it to authenticate without knowing the plaintext password. This is not a password guessing attack but a credential theft attack.
How Attackers Exploit
Attackers first gain access to password hashes through techniques like SQL injection, phishing, or exploiting misconfigured servers. They then use tools like Hashcat or John the Ripper to crack the hashes offline. For online attacks, tools like Hydra or Medusa are used. Attackers may also use social engineering to trick users into revealing passwords.
Defenses
Password Complexity Policies: Enforce minimum length (e.g., 8+ characters), use of uppercase, lowercase, numbers, and symbols. However, length is more important than complexity—a 16-character passphrase is harder to crack than a 8-character complex password.
Account Lockout: After a certain number of failed attempts (e.g., 5), lock the account for a period. This thwarts online brute force and dictionary attacks.
Rate Limiting: Limit the number of login attempts from a single IP address over time.
Multi-Factor Authentication (MFA): Even if the password is compromised, the attacker cannot authenticate without the second factor (e.g., OTP, biometric).
Salting and Hashing: Store passwords using a strong, slow hash function like bcrypt, scrypt, or Argon2, with a unique salt per password.
Password Managers: Encourage users to generate and store complex, unique passwords.
Regular Password Changes: Not always recommended (NIST now advises against mandatory periodic changes), but immediate change after a suspected breach.
Credentialed Scanning: Use tools to audit password strength and check for compromised passwords against known breach databases.
Real Command/Tool Examples
- Hashcat (offline cracking):
hashcat -m 1000 -a 0 hashes.txt rockyou.txt -m 1000 is the mode for NTLM hashes, -a 0 is dictionary attack.
- Hydra (online attack):
hydra -l admin -P passwords.txt ssh://192.168.1.100This tries to SSH into the target with username "admin" and passwords from the file.
- John the Ripper:
john --wordlist=rockyou.txt hashes.txtCreating a salt: In Python, hashlib.pbkdf2_hmac('sha256', password.encode(), salt, 100000).
Standards and References
NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. Recommends against password complexity rules and periodic changes; instead, use password length, check against breached password lists, and require MFA.
RFC 7617: The 'Basic' HTTP Authentication Scheme (plaintext passwords).
CVE-2021-33739: Microsoft Windows NTLM hash disclosure vulnerability.
Exam Tip
Know the difference between online and offline attacks. Offline attacks are more dangerous because they are not limited by lockout. Salting defeats rainbow tables. Account lockout defeats online brute force. Credential stuffing exploits password reuse. Password spraying avoids lockout by trying few passwords on many accounts.
Reconnaissance and Hash Acquisition
The attacker identifies a target system or database that stores password hashes. This could be a web application, a Windows domain controller, or a Linux server. The attacker then exploits a vulnerability (e.g., SQL injection, file inclusion, or misconfigured backup) to extract the password hash file. For example, on a Windows system, the attacker might obtain the SAM file (C:\Windows\System32\config\SAM) or the NTDS.dit file on a domain controller. On Linux, the /etc/shadow file is the target. Alternatively, the attacker may capture hashes in transit using a man-in-the-middle attack (e.g., Responder tool for NTLM hashes). The logs would show unusual database queries or file access, but if the attacker is careful, they may blend in.
Identify Hash Type
Once the hashes are obtained, the attacker identifies the hash format. Common formats include NTLM (Windows), SHA-1, MD5, bcrypt, and LM hashes. Tools like `hashid` or `hash-identifier` can automatically detect the hash type. For example, a hash starting with `$2y$` is bcrypt, while a 32-character hex string is likely MD5. The attacker must know the correct hash type to choose the right mode in cracking tools. Incorrect identification leads to wasted time. On the exam, you may be asked to identify hash types from sample strings.
Select Cracking Strategy
Based on the hash type and available resources, the attacker chooses a cracking strategy. For weak hashes like LM or NTLM, a brute force or dictionary attack may succeed quickly. For strong hashes like bcrypt (slow by design), the attacker may use a dictionary attack with rules. The attacker also decides whether to use a wordlist (e.g., rockyou.txt), a rule-based attack (e.g., adding numbers to dictionary words), or a brute force attack for short passwords. They might also use a rainbow table if the hashes are unsalted. Tools like Hashcat support all these modes with specific flags.
Execute Cracking Operation
The attacker runs the cracking tool. For example, using Hashcat: `hashcat -m 1000 -a 0 hashes.txt rockyou.txt`. This attempts to crack NTLM hashes using a dictionary. The attacker can also use GPU acceleration to speed up the process. The tool outputs cracked passwords as it finds them. The attacker monitors progress; if no passwords are cracked, they may switch to a larger wordlist or apply rules. Logs on the attacker's machine show the cracking speed (hashes per second) and success rate. On a modern GPU, NTLM hashes can be cracked at billions of attempts per second, while bcrypt may only achieve thousands.
Exploit Cracked Credentials
Once passwords are recovered, the attacker uses them to log into the target system or other systems where the user may have reused the password. For example, if the attacker cracked a user's corporate email password, they may try that password on the user's social media or banking accounts (credential stuffing). The attacker may also escalate privileges if the cracked password belongs to a domain admin. The defender would see successful logins from unusual locations or times, which should trigger alerts. A common mistake is not enabling MFA, which would have blocked the attacker even with the correct password.
Scenario 1: SOC Analyst Detecting Password Spraying
A SOC analyst notices a spike in failed login attempts across multiple user accounts from a single IP address. The attempts are using the same password (e.g., "Spring2024!") on different usernames. The analyst uses SIEM tools like Splunk to correlate events. The correct response is to block the IP address, enforce account lockout after a few failures, and require MFA. A common mistake is to only lock the specific accounts targeted, but the attacker will move to other accounts. The analyst should also check for successful logins from that IP to see if any accounts were compromised.
Scenario 2: Incident Responder Handling Offline Hash Cracking
After a web server breach, the incident response team finds that the attacker exfiltrated the database containing password hashes. The hashes are unsalted MD5, indicating weak security. The team must assume all passwords are compromised. They force password resets for all users and implement bcrypt with salts. They also check for any unauthorized access using the cracked passwords. A common mistake is to only reset passwords for users whose hashes were cracked, but the attacker may have cracked more later. The team should also review logs for any lateral movement.
Scenario 3: Security Engineer Deploying Password Policy
A company wants to implement a password policy compliant with NIST SP 800-63B. The engineer configures Active Directory to require a minimum of 12 characters, checks passwords against a list of common passwords (e.g., from Have I Been Pwned), and does not require periodic changes. They also enable MFA for all users. A common mistake is to enforce complex rules (e.g., must include symbols) that lead to predictable patterns (e.g., "Password1!"). The engineer should also implement account lockout after 10 failed attempts and rate limiting on VPN logins.
What SY0-701 Tests on Objective 2.4 (Password Attacks)
Identify and distinguish between online and offline password attacks.
Know the specific attack types: brute force, dictionary, rainbow table, credential stuffing, password spraying, pass-the-hash.
Understand mitigations: salting, hashing, account lockout, MFA, rate limiting, password complexity vs. length.
Recognize tools: Hashcat, John the Ripper, Hydra, Cain & Abel (legacy), Ophcrack (rainbow tables).
Understand the role of NIST SP 800-63B recommendations.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'brute force' when the scenario describes a dictionary attack. Candidates often confuse these because both involve guessing. The key difference: brute force tries all combinations; dictionary uses a wordlist. If the scenario says the attacker used a list of common passwords, it's a dictionary attack.
Selecting 'rainbow table' when hashes are salted. Candidates forget that salting renders rainbow tables useless. If the hash is salted, the attack is likely brute force or dictionary.
Picking 'credential stuffing' when the attack is password spraying. Both use credentials from breaches, but credential stuffing uses exact username/password pairs; password spraying uses a few passwords on many accounts. The scenario often mentions 'same password tried on many accounts' — that's spraying.
Confusing 'pass-the-hash' with offline cracking. Pass-the-hash is an online attack using captured hashes to authenticate without cracking. It does not involve guessing; it uses the hash directly.
Specific Terms and Values
LM hash: Weak, split into two 7-character parts, easily cracked.
NTLM hash: More secure than LM but still vulnerable to brute force.
bcrypt: Slow hash, uses Blowfish cipher, includes salt.
PBKDF2: Key derivation function, used in many systems (e.g., Apple, Android).
Argon2: Winner of the Password Hashing Competition, memory-hard.
Rockyou.txt: Famous wordlist from a 2009 breach.
Hashcat modes: -m 1000 (NTLM), -m 0 (MD5), -m 3200 (bcrypt).
Common Trick Questions
'Which attack is most effective against salted hashes?' Answer: Brute force or dictionary (rainbow tables are ineffective).
'What prevents rainbow table attacks?' Answer: Salting.
'What is the best defense against credential stuffing?' Answer: MFA (not password complexity).
Decision Rule for Scenario Questions
Is the attack against a live system (online) or against captured hashes (offline)?
If online, does it try many passwords for one user (brute force/dictionary) or one password for many users (spraying)?
If offline, are the hashes salted? If yes, rainbow tables are not possible.
Does the attacker use a list of common passwords? → Dictionary.
Does the attacker use credentials from another breach? → Credential stuffing.
Always eliminate options that contradict the scenario details (e.g., 'rainbow table' when hashes are salted).
Offline password attacks are more dangerous because they bypass account lockout and can be performed at high speed using GPUs.
Salting defeats rainbow table attacks; always use a unique salt per password.
NIST SP 800-63B recommends password length over complexity and discourages mandatory periodic password changes.
Multi-factor authentication (MFA) is the single most effective defense against password attacks, including credential stuffing and password spraying.
Hashcat mode -m 1000 is for NTLM hashes; -m 0 for MD5; -m 3200 for bcrypt.
Account lockout policies should be set to a reasonable number of failed attempts (e.g., 5-10) to thwart online brute force.
Password spraying attacks use a few passwords on many accounts to avoid triggering lockout.
Pass-the-hash is not a password cracking technique; it reuses captured hashes for authentication.
Rockyou.txt is a common wordlist with over 14 million passwords from a real breach.
Credential stuffing exploits password reuse across multiple services.
These come up on the exam all the time. Here's how to tell them apart.
Online Password Attack
Interacts with live system (e.g., login page)
Limited by network latency and server response
Can be detected and blocked by lockout/rate limiting
Slower (e.g., few attempts per second)
Examples: brute force, dictionary, password spraying
Offline Password Attack
Occurs on attacker's machine using captured hashes
Not limited by server; can use GPU acceleration
Undetectable by target system (no logs on target)
Fast (millions of attempts per second)
Examples: hash cracking, rainbow table, rule-based
Dictionary Attack
Uses a precompiled list of likely passwords
Faster but less comprehensive
May miss passwords not in the list
Effective against weak/common passwords
Tool: Hashcat with -a 0 (dictionary mode)
Brute Force Attack
Tries all possible character combinations
Slower but guaranteed to find password eventually
Covers all possibilities (exhaustive)
Impractical for long/complex passwords
Tool: Hashcat with -a 3 (brute force mask)
Credential Stuffing
Uses exact username/password pairs from breaches
Targets a single user or a few users with many passwords
Relies on password reuse across services
Often automated with bots
Mitigation: MFA, unique passwords per service
Password Spraying
Uses a few common passwords on many accounts
Targets many users with a small set of passwords
Avoids account lockout by staying under threshold
Often targets corporate environments
Mitigation: MFA, rate limiting, strong password policy
Mistake
Rainbow tables are effective against all hashed passwords.
Correct
Rainbow tables are only effective against unsalted hashes. Salting adds a random value to each password before hashing, so the same password produces different hashes, rendering precomputed tables useless.
Mistake
A complex password with symbols is always stronger than a longer passphrase.
Correct
Length is more important than complexity. A 16-character passphrase (e.g., 'correct horse battery staple') is exponentially harder to crack than an 8-character password with symbols (e.g., 'P@ssw0rd!') due to the larger keyspace.
Mistake
Account lockout prevents all online password attacks.
Correct
Account lockout prevents brute force and dictionary attacks on a single account, but password spraying attacks try a few common passwords on many accounts, so lockout may not trigger if the attacker stays below the threshold per account.
Mistake
Pass-the-hash is a type of password cracking.
Correct
Pass-the-hash is not cracking; it reuses captured NTLM hashes to authenticate without knowing the plaintext password. The attacker does not need to crack the hash; they simply replay it to gain access.
Mistake
Multi-factor authentication (MFA) is not needed if passwords are strong.
Correct
Even strong passwords can be compromised through phishing, keyloggers, or database breaches. MFA provides a second layer of defense, making it much harder for an attacker to authenticate even with the correct password.
A dictionary attack uses a list of common passwords (e.g., rockyou.txt) to guess the password, while a brute force attack tries every possible combination of characters. The dictionary attack is faster but may miss passwords not in the list. Brute force is comprehensive but slower. On the exam, if the scenario mentions a 'wordlist' or 'common passwords', it's a dictionary attack. If it says 'all possible combinations', it's brute force.
Salting adds a random, unique value (the salt) to each password before hashing. This means the same password will produce different hashes for different users. Rainbow tables are precomputed tables of hash values for common passwords without salts. Because the salt changes the hash, the precomputed table is useless. The attacker would need to generate a new table for each salt, which is impractical. On the exam, remember: salting defeats rainbow tables.
Credential stuffing is an attack where the attacker uses username/password pairs obtained from a data breach (e.g., from a social media site) and tries them on other services (e.g., banking, email). This exploits password reuse. Prevention includes using unique passwords for each service, enabling MFA, and implementing rate limiting. Organizations should also check passwords against breach databases and force password resets if a breach is detected.
Password length increases the keyspace exponentially. For example, an 8-character password using 95 printable characters has 95^8 ≈ 6.6 quadrillion combinations. A 16-character password has 95^16 ≈ 4.4e31 combinations, which is astronomically larger. A longer passphrase (e.g., 'correct horse battery staple') is easier to remember and harder to crack than a short complex password. NIST SP 800-63B recommends at least 8 characters for user-chosen passwords and 6 for randomly generated ones, but longer is better.
Password spraying is an online attack where the attacker tries a small number of common passwords (e.g., 'Password123', 'Welcome1') against many user accounts. This avoids account lockout because the attacker does not exceed the failed attempt threshold for any single account. In contrast, a brute force attack tries many passwords against a single account, which triggers lockout. On the exam, if the scenario says 'attacker tried the same password on multiple accounts', it's password spraying.
The most common tools are Hashcat and John the Ripper. Hashcat is GPU-accelerated and supports many hash types. John the Ripper is CPU-based and also supports many formats. Both can perform dictionary, brute force, and rule-based attacks. Other tools include Cain & Abel (legacy) and Ophcrack (for rainbow tables). On the exam, you may be asked to identify the tool used in a scenario.
MFA requires two or more factors: something you know (password), something you have (token, phone), or something you are (biometric). Even if an attacker obtains the password through phishing or cracking, they cannot authenticate without the second factor. This protects against credential stuffing, password spraying, and offline cracking. MFA is the most effective control for password attacks. On the exam, MFA is often the correct answer for mitigating credential theft.
You've just covered Password Attacks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?