Sec+ Birthday attack question
-
I was just watching the video on attacks, and was a bit puzzled by the explanation of birthday attacks. I'm familiar with birthday attacks on hashes, but those rely on being able to pass a modification off as an original, where the modification changes the hash to be the same as a forgery. This wouldn't be the case with password hashes, which would have to be attacked through other means. The discussion in the video said that there would be a good chance that more than one person in an organization has the same password, which might be true, but doesn't seem to help the attacker much since even if they find one user with a password, they'd have to try others to see if they have the same one. I did think of one application, that it could be exploited that someone in an organization will have one of the top 10 passwords, so that the dictionary could be confined just to them. Would that be an accurate interpretation?
Also, all of the subtitles in the video say that it is Part 2, but there is no part 1 in the sidebar. Is this an artifact of the update for the new test? A reference was made to part 1 including talk of buffer overflows, which I don't recall from any previous portion of this course.
Thanks!
-
This is from my thinking, if a group of people work together, talk about the same things, know the same things. Their chances of having the same password are likely. So instead of saying a limited number of passwords. The limit for this would be a subset of people working for the same organization, doing the same types of jobs, interested in the same things, talking about the same limited amount of conversations between people that do those same things. Just as people can have the same birthdays because of 365 days in a year, there is a statistical likelihood, these people would use the same passwords. Thereby, a hacker hacking one account gives him a statistical probably he can gain access to more than one using the same info.
This is no guarantee today especially if the organization requires you to use some random password generator, though.
You're right, it doesn't no good for you to know that my birthday is shared with millions of others (possibly a billion+ because I'm of asian descent). It really does no good right, if you know my password is one of the top ten passwords but putting the two together. Now we get somewhere. I mean what are the chances that we're using the mail system, or network?
Like most hacks, there's a combination of techniques that require more than a single attack to make it work. This would be the same here. Regardless of whether you limit to the same smaller set of "top 10 passwords" or "50 employees that work for the same company doing the same things, at the same time, talking about that day after day," the principle is the same. In your example, you now must figure who the user is using the same top 10 password. My example, you find the password of a user and figure out who else might be using it.
Sometimes, we may not name it part 1 for one reason or another but if you're seeing a part 2 with the exact same name as one that is not labeled as part1, that is the original whereas part 2 is the continuation of the original. It depended on the convention that we were using then.
Cordially,
Ronnie Wong
Host, ITProTV -
Ronnie,
Thanks for the reply. I understand better what you're saying now.
On the title question, in the Course Library the video is called Types of Attacks (no part 1 or 2), and there's no other section called Types of Attacks. In the in-video subtitles it's called Types of Attacks Part 2, and reference is made to a previous part 1 video. I was just a little thrown off by the inconsistency, especially when the reference to the earlier episode discussing buffer overflows was mentioned, but it's a small thing.
Thanks!