Conrand and Transcender have the same question on password guessing/crarcking, yet...

I'm in the final stages of studying for CISSP and I'm now doing an intense review.

Both Conrad (v2) and Transcender have the same question:

What is the difference between password cracking and password guessing?

The answer from Transcender says there is no difference.

The answer from Conrad says:

Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash

In a world where one question can make or break a CISSP pass or no pass, I don't want to leave anything to chance. In my mind, I agree with Conrad that there is a difference.

thoughts?

Find more posts tagged with

Comments

techwizard

I am no expert and am studying for the SSCP at this time, will sit for it in about 2 to 3 weeks. With that said, I would go with Conrad's definitions as well. From what I have read, password guessing and password cracking are indeed different.

da_vato

Cracking is indeed different, you are actually employing technical means to discover the password. You can brute force, run a rainbow table against its hash and so on. Guessing would be the attacker sitting at the console trying whatever he/she comes up with.

samurai86

I am curious. I used both of those as well. Do they have the same answers as well? Depending on a given set of answers, IMO, they both may be correct.

I do agree that the Conrad definition/answer is the best of the two, but as we know with the CISSP sometimes you are given 4 not so good answers and have to pick the best of those options.

LionelTeo

cracking requires the attacker to compromise the system first or in a way to obtain the hash from the system, then employs cracking tools or scripts to encrypt different text using the same algorithm used by the compromised system to attempt to generate the same hash and therefore recovers password if the hash match.

While password guessing is an example of the attacker trying to login to the system or webpage directly by trying different password combination without any hash. This can be a remote interactive logon or a direct logon.

beads

Two real world examples:

Brutus - Brute force password guesser.
HashCat - Password cracker.

Big difference. Ignore the Transcender question in this case. It happens with any quiz software or book.

- B Eads