Options

Conrand and Transcender have the same question on password guessing/crarcking, yet...

JockVSJockJockVSJock Member Posts: 1,118
in SSCP
I'm in the final stages of studying for CISSP and I'm now doing an intense review.

Both Conrad (v2) and Transcender have the same question:
What is the difference between password cracking and password guessing?

The answer from Transcender says there is no difference.

The answer from Conrad says:
Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash

In a world where one question can make or break a CISSP pass or no pass, I don't want to leave anything to chance. In my mind, I agree with Conrad that there is a difference.

thoughts?
***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown
· Share on FacebookShare on Twitter

Comments

  • Options
    techwizardtechwizard Member Posts: 162 ■■■□□□□□□□
    I am no expert and am studying for the SSCP at this time, will sit for it in about 2 to 3 weeks. With that said, I would go with Conrad's definitions as well. From what I have read, password guessing and password cracking are indeed different.
    "Never give up" ~ Winston Churchill
    · Share on FacebookShare on Twitter
  • Options
    da_vatoda_vato Member Posts: 445
    Cracking is indeed different, you are actually employing technical means to discover the password. You can brute force, run a rainbow table against its hash and so on. Guessing would be the attacker sitting at the console trying whatever he/she comes up with.
    · Share on FacebookShare on Twitter
  • Options
    samurai86samurai86 Member Posts: 104 ■■□□□□□□□□
    I am curious. I used both of those as well. Do they have the same answers as well? Depending on a given set of answers, IMO, they both may be correct.

    I do agree that the Conrad definition/answer is the best of the two, but as we know with the CISSP sometimes you are given 4 not so good answers and have to pick the best of those options.
    Bachelor's of Applied Science in Technology Management - Information Security Assurance (St. Petersburg College)
    Masters of Science in Digital Forensics (University of Central Florida)
    · Share on FacebookShare on Twitter
  • Options
    LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    cracking requires the attacker to compromise the system first or in a way to obtain the hash from the system, then employs cracking tools or scripts to encrypt different text using the same algorithm used by the compromised system to attempt to generate the same hash and therefore recovers password if the hash match.

    While password guessing is an example of the attacker trying to login to the system or webpage directly by trying different password combination without any hash. This can be a remote interactive logon or a direct logon.
    · Share on FacebookShare on Twitter
  • Options
    beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Two real world examples:

    Brutus - Brute force password guesser.
    HashCat - Password cracker.

    Big difference. Ignore the Transcender question in this case. It happens with any quiz software or book.

    - B Eads
    · Share on FacebookShare on Twitter
Sign In or Register to comment.