IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Password-cracking techniques – Rainbow tables, Spidering, network analysers

Some of the most common, and most effective, methods for stealing passwords

Malware, phishing, and social engineering are common terms in cyber security news stories, and it's fair to say that most people will have been on the receiving end of such attacks at some point.

However, there are a number of techniques that rarely get mentioned in reports, either because they are used behind the scenes or they only exist in conjunction with more recognisable attack types. Here's a handful of some of these more reclusive techniques.

7. Rainbow table attack

Image of a rainbow arching across a blue sky

Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).

Rainbow tables go one step further, as rather than simply providing a password and its hash, these store a precompiled list of all possible plain text versions of encrypted passwords based on a hash algorithm. Hackers are then able to compare these listings with any encrypted passwords they discover in a company’s system.

Much of the computation is done before the attack takes place, making it far easier and quicker to launch an attack, compared to other methods. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size.

8. Network analysers

Abstract image of a network of interconnected points on a black background

Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.

Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of the first phase of an attack, followed up with brute force attacks.

Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyser, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.

The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.

9. Spidering

Spidering deploys very similar techniques to those used in social engineering and phishing attacks. Generally, it requires far more leg work on the part of the hacker, but also significantly increases the likelihood that an attack will be successful.

Spidering describes the process of a hacker getting to know their target, to the extent that they’re able to get credentials based on their activity. For example, many organisations run internal services with passwords that relate to their business in some way, mainly because this makes it easier to remember for employees.

If a hacker knows their target works for a particular company, they may take steps to try and access internal Wi-Fi networks or employee handbooks to further their understanding. They may also study the products that business creates in order to build a list of possible word combinations, which can be used later in a brute force attack.

Like many entries on this list, this process is usually underpinned by automation.

The last entries on our list look at techniques considered to be relatively crude but still surprisingly effective. Click here to continue

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Cyber resiliency and end-user performance
Whitepaper

Cyber resiliency and end-user performance

17 Aug 2022
Can't choose between public and private cloud? You don't have to with IaaS
Whitepaper

Can't choose between public and private cloud? You don't have to with IaaS

12 Aug 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022