What are Password Guessing Attacks

On systems which rely solely on a login name and password the security of the entire system is only as strong as the passwords chosen by the users. The best way to ensure passwords are not cracked is to avoid the use of simple words or phrases which can be found in a dictionary. This needs to be balanced with making the passwords easy enough to remember so that users do not write them on pieces of paper and stick them on their laptops or monitors for others to find.

The best passwords consist of a mixture of upper and lower case characters combined with numbers and special characters. A common approach is to substitute numbers in place of similar letters. For example W3ath3rN3ws uses the number 3 in place of the letter 'E', the reasoning being that the number 3 is much like a reversed 'E' making the password easy to remember. Unfortunately most password cracking algorithms know about this type of substitution.

There are two primary mechanisms for breaking password protection, brute force and dictionary.


Brute Force Password Attacks

A brute force attack uses algorithms to systematically try every possible permutation of characters in an effort to find the correct password. If allowed to persist, a brute force attack will eventually identify the correct password, although a well implemented security strategy will disable the account and block the IP address from which the attempts were made after 3 or 4 failed password attempts.


Dictionary Password Attacks

Dictionary password attacks take advantage of the fact that many user simply rely on easy to remember words as their passwords. A dictionary attack simply works through a list of words from a dictionary to see if any of them turn out to be a valid password. Such brute force programs also take into consideration such tricks as using the number 3 instead of the letter 'e' and the number 1 in place of the letter 'l'.

Did you find this tutorial helpful? Don’t forget to share your views with us.