Password hashing

Attacks on passwords

• online vs offline attacks
• brute force
• using a list of common passwords
• installing a keylogger
• social engineering / phishing
• sniffing passwords off the wire
• trying other passwords from same user
• scraping passwords from memory (eg, mimikatz)
• database compromise
• compromising a password manager
• "forgot my password" (either via a person or a program)

Mitigating online password attacks

• limit the number of login attempts
• CAPTCHAs: prevent automated password guessing