Skip to content

Password hashing

Attacks on passwords

  • online vs offline attacks
  • brute force
  • using a list of common passwords
  • installing a keylogger
  • social engineering / phishing
  • sniffing passwords off the wire
  • trying other passwords from same user
  • scraping passwords from memory (eg, mimikatz)
  • database compromise
  • compromising a password manager
  • "forgot my password" (either via a person or a program)

Mitigating online password attacks

  • limit the number of login attempts
  • CAPTCHAs: prevent automated password guessing