Overview#

Password Guessing Attacks is an Attack usually performed off-line typically using some Heuristic Attacks designed for such attacks.

Password Guessing Attacks Heuristic Attack applications are quite effective. Considers these numbers:[1]

  • 2 minutes – the time taken for the first pass with a Password Dictionary and 64 rules to crack the first 38,000 passwords
  • Just under five days – time taken to brute force all passwords up through eight characters in length;
  • 12 – average number of passwords cracked per user account (either because they used a poor password, or it was eight characters or less, or both;
  • 87.8 per cent of the passwords cracked were broken using the easily available CrackStation password cracking Password Dictionary. By comparison only 12.2 per cent of the passwords cracked via brute force. The lesson, the author says, is using wordlists is very efficient;
  • 27 characters – the longest password cracked; It was a name and digits repeated several times (Lesson: Employees do understand they have to use more than eight characters, and they still cheat), Someone used “Thisisalongpassword.” That wasn’t bad — except they used the string more than once, so it was cracked.

Why are Password Guessing Attacks done off-line?#

Hopefully most Applications utilize some sort of Server-Side Login throttling schemes and / or Intruder Detection methods. So it is common for an Attacker to steal a document or password store, even if it is Encrypted where the Brute-Force Password Guessing Attacks can be performed.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 13-Apr-2017 13:31 by jim