Question 1

Brute Force Attack

Accepted Answer

A password attack that systematically calculates every possible combination that could make up a password and tests it to see if it is the correct password.
As the password's length increases, on average, the amount of time it takes to find the correct password increases.

Question 2

Downgrade Attack

Accepted Answer

An attack on a computer system or communications protocol that makes it downgrade the high-quality mode of operation (such as an encrypted connection) in favor of an old, lower-quality mode of operation (such as cleartext).
This is a flaw found in OpenSSL. It allows the attacker to negotiate to a lower version of TLSThis is one of the most common types of downgrade attacks. 
-man-in-the-middle attack
-cryptographic 
Removing backward compatibility is often the only way to prevent downgrade attacks.

Question 3

Keylogging Software

Accepted Answer

Software that can capture a user's screens, clipboard data, and visited websites in addition to logging keystrokes.

Question 4

Password Hash

Accepted Answer

A transformation on a password that transform the password into another string called the hashed password, which is difficult to transform back into the original password.

Question 5

Rainbow Table

Accepted Answer

A pre-computed table for reversing cryptographic hash functions, usually for cracking password hashes.

•	The results are saved in a table or matrix.
•	An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found.
•	This method applies the concept of time-memory trade off, meaning that it can save a considerable amount of time, but at the expense of memory.
•	Rainbow tables or matrices can be extremely large and expansive, consuming up to 30 GB of space.

Question 6

Password Cracking Tools

Accepted Answer

check for unencrypted or weak encrypted passwords sent through the network. They guess passwords by looking for:
•	Default passwords for new systems
•	Blank passwords
•	The word password as a password
•	Rows of letters on the keyboard (such as qwerty)
•	User's name or login name
•	Name of significant other, pet, children, etc.
•	Birthdate
•	Name of celebrity
•	Words in the dictionary &adding appendages to dictionary words
•	Programs, SnadBoy's Revelation,  reveal a hidden password in cleartext.

Question 7

Social Engineering

Accepted Answer

Social engineers try to get a user to reveal the password. For example, the attacker can pretend to be an administrator that needs the user's password.

Question 8

Offline Brute Force attack

Accepted Answer

the attacker attacks by herself

Question 9

Online Brute Force attack

Accepted Answer

the attacker attacks other entities and uses them to attack your system.

Question 10

What are ways to collect hashed passwords?

Accepted Answer

•	A sniffer captures authentication logon traffic and extracts the hashed password from the network packets.
•	An account database file is accessed by an attacker who gains read access.
•	An account database file is pulled from a backup.

Question 11

How to protect against password attacks:

Accepted Answer

1. Educate Users
-no write down
-How to create strong Password
-Social engineering tactics
2. Protect access to Password files
-Use OS methods to protect the PW hashed file
3. Salt the hash
-to prevent rainbow attacks
4. implement 2 factor authentication

Question 12

In a variation of the brute force attack, an attacker may use a predefined list (dictionary) of common user names and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue?

Accepted Answer

A strong password policy

A strong password policy is the best defense against dictionary attacks. The policy must be enforced, and all users must be trained to properly construct and protect strong passwords.

Question 13

Which password attacks uses preconfigured matrices of hashed dictionary words?

Accepted Answer

Rainbow table

A rainbow table attack applies hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques). It then saves the results in a table or matrix. An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found.

Question 14

What is the most vulnerable to brute force attack

Accepted Answer

Password Authentication 

Password authentication is the most vulnerable to a brute force attack. The brute force attack itself may take a considerable amount of time, especially if the attack is against a single user account or online login prompt rather than a localized copy of a security accounts database. However, once the attack is complete, the attacker has all they need to log in to the secured system.

TestOut ITSec C7.2

TestOut Security Pro Terms Def / Q&A Chapter 7.2 Password Attacks

Term & Qustions	Def & Answers
How are attackers able to recover passwords?
What are the characteristics of a complex password?
What are the differences between brute force and dictionary attacks?
How does account lockout help secure an account?
What technique mitigates rainbow table attacks?
Brute Force Attack	A password attack that systematically calculates every possible combination that could make up a password and tests it to see if it is the correct password. As the password's length increases, on average, the amount of time it takes to find the correct password increases.
Downgrade Attack	An attack on a computer system or communications protocol that makes it downgrade the high-quality mode of operation (such as an encrypted connection) in favor of an old, lower-quality mode of operation (such as cleartext). This is a flaw found in OpenSSL. It allows the attacker to negotiate to a lower version of TLSThis is one of the most common types of downgrade attacks. -man-in-the-middle attack -cryptographic Removing backward compatibility is often the only way to prevent downgrade attacks.
Keylogging Software	Software that can capture a user's screens, clipboard data, and visited websites in addition to logging keystrokes.
Password Hash	A transformation on a password that transform the password into another string called the hashed password, which is difficult to transform back into the original password.
Rainbow Table	A pre-computed table for reversing cryptographic hash functions, usually for cracking password hashes. • The results are saved in a table or matrix. • An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found. • This method applies the concept of time-memory trade off, meaning that it can save a considerable amount of time, but at the expense of memory. • Rainbow tables or matrices can be extremely large and expansive, consuming up to 30 GB of space.
Password Cracking Tools	check for unencrypted or weak encrypted passwords sent through the network. They guess passwords by looking for: • Default passwords for new systems • Blank passwords • The word password as a password • Rows of letters on the keyboard (such as qwerty) • User's name or login name • Name of significant other, pet, children, etc. • Birthdate • Name of celebrity • Words in the dictionary &adding appendages to dictionary words • Programs, SnadBoy's Revelation, reveal a hidden password in cleartext.
Social Engineering	Social engineers try to get a user to reveal the password. For example, the attacker can pretend to be an administrator that needs the user's password.
Offline Brute Force attack	the attacker attacks by herself
Online Brute Force attack	the attacker attacks other entities and uses them to attack your system.
What are ways to collect hashed passwords?	• A sniffer captures authentication logon traffic and extracts the hashed password from the network packets. • An account database file is accessed by an attacker who gains read access. • An account database file is pulled from a backup.
How to protect against password attacks:	1. Educate Users -no write down -How to create strong Password -Social engineering tactics 2. Protect access to Password files -Use OS methods to protect the PW hashed file 3. Salt the hash -to prevent rainbow attacks 4. implement 2 factor authentication
In a variation of the brute force attack, an attacker may use a predefined list (dictionary) of common user names and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue?	A strong password policy A strong password policy is the best defense against dictionary attacks. The policy must be enforced, and all users must be trained to properly construct and protect strong passwords.
Which password attacks uses preconfigured matrices of hashed dictionary words?	Rainbow table A rainbow table attack applies hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques). It then saves the results in a table or matrix. An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found.
What is the most vulnerable to brute force attack	Password Authentication Password authentication is the most vulnerable to a brute force attack. The brute force attack itself may take a considerable amount of time, especially if the attack is against a single user account or online login prompt rather than a localized copy of a security accounts database. However, once the attack is complete, the attacker has all they need to log in to the secured system.

"Know" box contains:
Time elapsed:
Retries: