Password Cracking

When trying to crack user passwords, attackers can resort to guessing, dictionary attacks, and brute force attacks.

  • Guessing—the password is guessed by humans with knowledge of personal information. This is particularly effective with systems that employ a self-service password reset, in which one or more security questions are posed before the password can be changed. The answers to such questions can be guessed or researched based on personal knowledge.
  • Dictionary attack—works by using a dictionary filled with dictionary words, family information, default passwords, and key patterns.
  • Brute force attack—tries every possible password and will in theory always be successful if there is no limit to the number of attempts.

Defense

Unfortunately many protocols, such as HTTP, send passwords in clear text or using weak encryption. Either choose an appropriate protocol (such as TLS) or make use of HTTPS.

To defend against guessing and dictionary attacks the following strategies can be employed:

  • Force users to choose a sufficiently strong password in terms of password length, use of alpha-numerical characters, and repetition of characters.
  • Change passwords frequently to reduce the time frame available for a brute force attack or for misuse, if the password is stolen.

To defend against brute force attacks:

  • If logon is done on the application level, you can lock the user out after three logon attempts tries within one minute, or add a wait time that keeps growing after each failure.
  • Use a (salted) hash for passwords to prevent unauthorized access to the server.
  • Store an encrypted version of the password, using sufficiently strong encryption to ensure that attackers cannot gain access to the user name and password. However, it can be decrypted if the key is stolen (there has to be a key somewhere), thus exposing the users' original passwords.

    For example, if you are using HTTP authentication, you could use secure implementations such as Kerberos, which is available on virtually all platforms and is supported in Tomcat using the JAAS realm. (For more information, see the Tomcat documentation https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#JAASRealm and Oracle tutorials https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html).

  • Consider using secure LDAP as an alternative.

Related Topics