CAPEC-55 : Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.
https://capec.mitre.org/data/definitions/55.htmlRelated CWE definitions
Obscuring a password with a trivial encoding does not protect the password.
The product does not have a mechanism in place for managing password aging.
The product supports password aging, but the expiration period is too long.
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Please note that CAPEC definitions are provided as a quick reference only.
Visit http://capec.mitre.org/ for a complete list of CAPEC entries
and more information.