How does a ‘rainbow table’ hacker obtain password hashes in the first place?

I don’t understand this part of the Rainbow table attack.
In all my Google searches, it says that a hacker uses a rainbow table on password hashes.
But how does the hacker obtain the password hashes in the first place?
I have rephrased thi… Continue reading How does a ‘rainbow table’ hacker obtain password hashes in the first place?

How is Salting a password considered secure, when the hacker already has access to user password Database? [closed]

How is Salting a password considered secure, when the idea of a rainbow table attack means that the hacker already has access to user password Database?
Since the Attacker already has access to the password database… he can just send the… Continue reading How is Salting a password considered secure, when the hacker already has access to user password Database? [closed]

Can you help me with some misconceptions about bcrypt and salting?

I researched password hashing and cracking and I have some misconceptions:

First rule of thumb to create a strong password is to use 10+ combination of digits/upper/lower/symbols to prevent brute force attacks.
Then the problem will be on… Continue reading Can you help me with some misconceptions about bcrypt and salting?

Why does pwdump7 retrieve LM hashes even though they’re disabled?

I’m currently undergoing a penetration testing certification, where I’m asked to :

Set up a fully-patched Windows 10 Pro VM (done)
Retrieve local password hashes from the SAM database using pwdump7
Crack these passwords using rainbow tab… Continue reading Why does pwdump7 retrieve LM hashes even though they’re disabled?

Why people buy stolen databases with emails and hashed passwords of users? [duplicate]

I see every now and then how hackers stole DB with emails and hashed passwords of millions of users from popular websites and sell it on the black market.

I assume that passwords were hashed with proper unique salt for each which makes ra… Continue reading Why people buy stolen databases with emails and hashed passwords of users? [duplicate]