nerdexam
GIAC

GCIH · Question #797

What password attack uses a stolen password breach list?

The correct answer is A. Credential Stuffing. Credential stuffing is the specific attack technique that uses stolen username and password pairs from prior data breach dumps to attempt unauthorized access across multiple services.

Vulnerability Exploitation & Privilege Escalation

Question

What password attack uses a stolen password breach list?

Options

  • ACredential Stuffing
  • BPass-the-Hash
  • CDictionary Attack
  • DMan-in-the-Middle

How the community answered

(55 responses)
  • A
    85% (47)
  • B
    4% (2)
  • C
    9% (5)
  • D
    2% (1)

Why each option

Credential stuffing is the specific attack technique that uses stolen username and password pairs from prior data breach dumps to attempt unauthorized access across multiple services.

ACredential StuffingCorrect

Credential stuffing relies on obtaining real, previously validated credential pairs from publicly leaked or purchased breach lists and then replaying them against other services to exploit password reuse. This distinguishes it from guessing-based attacks because the credentials are known to have been correct at least once, dramatically increasing success rates against accounts that reuse passwords.

BPass-the-Hash

Pass-the-Hash captures NTLM hash values from memory or the SAM database and replays the hash directly for authentication, rather than using plaintext passwords from a breach list.

CDictionary Attack

A dictionary attack generates guesses from a wordlist of common passwords and phrases rather than using actual stolen credential pairs from a confirmed breach.

DMan-in-the-Middle

A Man-in-the-Middle attack intercepts live communications between two parties and does not involve replaying or testing stolen password lists against accounts.

Concept tested: Credential stuffing attack using stolen breach data

Source: https://owasp.org/www-community/attacks/Credential_stuffing

Topics

#credential stuffing#password attacks#breach lists#account takeover

Community Discussion

No community discussion yet for this question.

Full GCIH Practice