Password Attack Taxonomy

This attack taxonomy includes most common attacks on passwords. The table below shows attack categories split into online and offline attacks. Offline attacks require access to a database of scrambled or encrypted passwords, while online attacks would use normal user interface to test or obtain user passwords.

Screen-Shot-2013-11-28-at-21.33.02The simplest online attack is to make a guess of a password and try it. This attack works against weak passwords only (and in Hollywood movies) as shown in the table above (see the Password Entropy, i.e., password strength, column). However, online guessing attacks can resemble dictionary attacks if the attacked system is cloud-based. Cloud-based systems can’t lock user accounts after a certain number of tries, as this policy would cause widespread DoS situations. This gives attackers an opportunity to perform more guesses.

More sophisticated online attacks would try to extract user passwords by eavesdropping on users when they type them. They can either attack Computer by, e.g., installing malware on Computer or attack Communication with, e.g., a re-direction attack. Redirection attacks are when a user thinks she talks to a genuine server but in reality, there is someone else watching everything in-between. These attacks can compromise passwords of any strength.

The class of offline attacks requires some sort of a password database. This means that passwords are available for any kind of access. As the password database is available on attacker’s computer, it is possible to do billions of password guesses per second with a single computer (or its graphic processing unit). Offline Rainbow attacks use pre-computed tables with password values that make them less flexible but very quick. One noticeable example of rainbow tables is the database of NTLM hashes for MS Windows (Ophcrack by Objectif Securite). Ophcrack is available online and you can tested with single password hashes and get an instant result. A number of other rainbow tables (MD5, SHA-x, and other hashes) are readily available online.

Screen-Shot-2013-11-28-at-21.30.44The next figure maps password attacks on our system model. You can see that the closer the attack is to the authentication system, the larger is the number of passwords compromised by one successful attack. At the same time, scalability (potential to repeat the same attack across a number of system instances) decreases, as well as automation of attacks.

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.