Password-guessing attacks are one of the most popular aspects of penetration testing. Passwords come from a lot of places—you can guess them, you can find them lying around in files, and in some cases, you can obtain them from the operating system. Passwords obtained from the operating system are sometimes in the clear or are reversibly encrypted, and sometimes they are stored as a hash, often known as a password verifier. A hashing function is designed to take an input and convert it to an output in a non-reversible manner, so you will sometimes see password verifiers referred to as an OWF (one-way function).

Password hashes are typically attacked (or cracked) using a combination of dictionary attacks and brute-force ...