Password Discovery Methods
All of these attacks covered in the section are online attacks.
BRUTE-FORCE:
- Uses an exhaustive list trying to guess the passwords.
- Password guessing programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second.
- Brute force attacks are run against a single username with multiple password guesses.
EXAMPLE:
cbgto1gpy
cbgto1gpy
cbgto2gpy
cbgto3gpy
cbgto4gpy
cbgto5gpy
cbgto6gpy
The sixth character changes in this example when the program has completed all possible combinations with the 6th character and it has not discovered the password, then the 5th character will change to the letter "p" and will continue the process.
DICTIONARY:
- A dictionary attack will go through common words out of the dictionary and does not use complexity.
- Dictionary attacks are run against a single username with multiple password guesses. This is also an automated program.
SPRAYING ATTACK:
- A spraying attack is one password, normally simple or commonly used against multiple accounts (2 or more usernames).
- The attacker waits a period such as 30 minutes or longer.
- This is done to bypass account lockout.
- Most account lockouts reset the failed login counter back to "0" at that point.
There are two primary ways to prevent brute-force or dictionary attacks:
- Account lockout after 3 to 5 failed login attempts
- The other is to use MFA (Multi-Factor Authentication)
No comments:
Post a Comment