Password strength or complexity is the goal of having a good password and making it strong against brute-force attacks. ab where a is the possible symbols and b is the length. If you have a 4 letter password containing only [0-9] then it might take 104 = 10,000 attempts, a computer with a decent graphics card can calculate billions of guesses per second.
Key stretching, also known as key strengthening, is the act of increasing the complexity enough that it wouldn’t be worth the hacker’s time to be able to crack it. This is done by taking a password (its salted version), hashing it, then hashing the output again an x amount of times, increasing the time it takes to crack the original password exponentially by hashing each iteration’s output.
Salting is the process of adding random data (a salt) at the end of a password before hashing it. It is a method commonly used to defend against dictionary and rainbow table attacks. See Fig 1.
A brute-force attack involves checking every bit until it matches the password’s hash. This is a very inefficient way of password cracking, because if a password is complex enough then it may take an absurdly large amount of time or power before it can be cracked. See Fig 2.
A dictionary attack is a common first resort against a password hash. People are predictable and make very commonly used passwords. Using a wordlist, a pre-compiled text file list of the most common passwords, the password cracker will go through each password on the list and check if the hash matches the original passwords.
Rainbow Table Attack
A rainbow table attack is similar to a dictionary attack except instead of a wordlist just containing plaintext passwords, a rainbow table contains plaintext passwords and their corresponding hash. This saves the hacker plenty of time in exchange for loss of space as these files can be very large.