Everyone is probably familiar with passwords. Passwords are the most common access control method used by system administers to manage the usage of network resources and applications. Usernames are entered along with a password when a user wants to login to a secure system. The widespread use of passwords to access sensitive information makes them a favorite target of attackers. Password attacks, also called password cracking, are the techniques that are used to discover passwords.
Passwords should not be saved in unencrypted formats or written on paper. This means that many times frequently-used passwords must be committed to memory. The problem arises because in order to be secure, a password should be significantly long and complex so that it cannot be easily guessed, which makes it hard to remember.
The simplest password attack is a brute force attack where an attacker tries random sequences of characters. Trying a couple passwords a second, an automated brute force attack on an eight letter password that uses the characters from a standard QWERTY keyboard would take millions of years to figure out. Since brute force attacks are difficult, many times attackers will try to steal a database of hashed passwords and break them offline using a dictionary attack.
A dictionary attack compiles a massive list of common words and their variations and computes their cryptographic hash values. These hash values are then compared against a database of hashed passwords to determine the original unencrypted password. A more modern method of cracking hashed databases of passwords is by using rainbow tables.
A rainbow table uses a huge list of precomputed hash values of almost all possible password combinations. Rainbow tables are faster that dictionary and brute force attacks and requires less memory. A 14 character password that would require millions of years to crack using brute force can be broken in under an hour using rainbow tables.