Naziv
|
Dictionary-based Password Attack
|
Sažetak
|
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
|
Preduvjeti
|
The system uses one factor password based authentication.|The system does not have a sound password policy that is being enforced.|The system does not implement an effective password throttling mechanism.
|
Rješenja
|
['Create a strong password policy and ensure that your system enforces this policy.', 'Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.', 'Leverage multi-factor authentication for all authentication services.']
|