Password Guessing
Overview
Password guessing is one of the most straight-forward attacks. If successful
the attacker will gain access to the user’s account. Automation makes it
possible for attackers to try many more passwords than just those which are
intuitively weak.
What makes a
site vulnerable?
A site is vulnerable if the passwords users use to log in are guessable.
An attacker may be able to make millions of guesses (via automated login
attempts). This means that passwords may be guessable even if not intuitively
easy to guess. It may be possible for an attacker to test all possible
passwords of up to a length of 5 or 6 characters. Sites which do not force
passwords longer than this may be vulnerable. Users will often choose passwords
as weak as is permitted. This may include using dictionary words, birthdays,
family names, etc. It is generally easy for an attacker to guess and test for
such passwords. As a result websites which do not enforce a level of complexity
on passwords will usually be vulnerable to the attacks.
Impact of the
attack
If an attacker correctly guesses a user’s password he will be able
to access the user’s account. This will allow him to do anything the user can,
including accessing the user’s private information, credit card details, etc.
He may be able to delete the user’s account or change the password preventing
further access by the user. If the user is admin then the attacker will
potentially gain administrative control over the website. Another impact is
that, if the attacker isn’t otherwise permitted an account on the system, he
will be able to access to it, learn about it, and carry out attacks against the
normally restricted functionality.
Preventing the
attack
The best prevention against password guessing attacks is to force
users to use strong passwords. Ideally, these should be generated by the system
and should be long (8+ characters), random and utilising a large range of
characters (alphanumeric and symbols). If necessary to allow the user to
specify their own passwords, they should be forced to adhere to suitable complexity
requirements including, dissimilarity from the user name and other user data,
no dictionary words and requirements for the use of a range of characters
(including numbers, symbols and both cases). Ideally, password cracking
software should also be run regularly against the stored passwords to identify
passwords which are easy to guess. Another strategy to consider is the use of
failed login limits (i.e. locking the account after a number of incorrect
guesses). This, however, can backfire and be used in
denial of service attacks
against the user.