There are a lot of different ways to crack a password. The figure below shows some scenarios attempts that can occur. If the attacker has access to a machine and consequently to the password hashes then he can use any password cracking technique of the follow:
Dictionary attack uses a wordlist that contains words, phrases, common passwords and other strings that can used as a password. The password is cracked after comparing every word in the wordlist (after hashed) to the password hash. Dictionary files are created by extracting words from large bodies of text and even from real databases of passwords. These files are also containing words with appending numbers to the end of them (e.g. “harrys123”) and with their leet speak equivalent (“harrys” becomes ”h4rry5”). This method is popular because many people use common words as passwords. We have to mention that dictionary wordlists are also available for technical and foreign languages. Although, dictionary attacks have a fairly high speed, are ineffective against passwords that are not based on a dictionary word. For instance, the password “#!d^3m4&0z” is improbable to be found by a dictionary attack. Moreover, by “salting” the password, the attacker would need to precompute hashes for each password coupled with each possible “salt”. This can be a huge restraint for the attacker, especially if the salt is large enough.
Brute Force Attack
Brute force attacks can be used in cases that dictionary attacks were unable to recover a password. The reason is that brute force attacks try every combination of characters up to a given length until the password is found. For instance, given a length of 6 characters in a password, brute force attack will follow a sequence of “aaaaaa”, ”aaaaab”, ”aaaaac” and so on. It is obvious that this attack is the slowest method of password crack attacks, very computationally expensive and the least efficient in terms of cracked hashes per processor time. Nevertheless, brute force attack will always eventually find the password and can be very successful on short and simple passwords.
Rainbow table attack
Rainbow table attack is an implementation of the time-memory trade-off method developed by Philippe Oechslin. It is called like that because it consumes time to be created, but after that password recovery it is very quick.The idea behind rainbow tables attacks is lookup tables*. The previous attacks, i.e dictionary and brute force, generate the hash for each password and then compare this hashed password to the correct password hash. On the other hand, rainbow tables compute hashes for words taken from a dictionary, store all these values into a table, retrieve the hash of the password to be cracked and do a comparison between the real password hash and the password hash from the created table. The difference however between these lookup tables is that rainbow tables sacrifice hash cracking speed to make lookup tables smaller. Thus, rainbow tables are more effective compared to simple lookup tables because the same amount of space is used to store more cracked password hashes. However, these tables are also quite large. For example for passwords up to 7 characters the MD5 rainbow table is 64GB . These tables can crack non-dictionary based words very fast but due to the nature of this attack not all passwords can be found. Like dictionary attacks, rainbow table attacks can be prevented by “salting” the passwords before storing them.
*lookup tables are data structures containing pre-computed hashes of the passwords in a password dictionary and also their corresponding password.