Skip to content
Password hashing
Attacks on passwords
- online vs offline attacks
- brute force
- using a list of common passwords
- installing a keylogger
- social engineering / phishing
- sniffing passwords off the wire
- trying other passwords from same user
- scraping passwords from memory (eg,
mimikatz
)
- database compromise
- compromising a password manager
- "forgot my password" (either via a person or a program)
Mitigating online password attacks
- limit the number of login attempts
- CAPTCHAs: prevent automated password guessing