This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Password Spraying
Password Spraying

Version management

Difference between version and

At line 1 added 25 lines
!!! Overview
[{$pagename}] (or Password Guessing) refers to an [attack] method that takes a large number of [usernames] and loops them with a single [password].
The [attacker] can use multiple iterations using a number of different [passwords], but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids [Intruder Lockout Checks], and it is often more effective at uncovering weak passwords than targeting specific users.
[{$pagename}] is an [Attack] may be performed off-line typically using some [Heuristic Attacks] designed for such attacks.
[{$pagename}] [Heuristic Attack] [applications] are quite effective. Considers these numbers:[1]
* 2 minutes – the time taken for the first pass with a [Password Dictionary] and 64 rules to crack the first 38,000 [passwords]’
* Just under five days – time taken to brute force all [passwords] up through eight characters in length;
* 12 – average number of passwords cracked per user account (either because they used a poor password, or it was eight characters or less, or both;
* 87.8 per cent of the [passwords] cracked were broken using the easily available CrackStation password cracking [Password Dictionary]. By comparison only 12.2 per cent of the passwords cracked via brute force. The lesson, the author says, is using wordlists is very efficient;
* 27 characters – the longest password cracked; It was a name and digits repeated several times (Lesson: Employees do understand they have to use more than eight characters, and they still cheat), Someone used “Thisisalongpassword.” That wasn’t bad — except they used the string more than once, so it was cracked.
!! Why are [{$pagename}] done off-line?
Hopefully most [Applications] utilize some sort of [Server-Side Login throttling schemes] and / or [Intruder Detection] methods. So it is common for an [Attacker] to steal a document or [password] store, even if it is [Encrypted|Encryption] where the [Brute-Force] [{$pagename}] can be performed.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Password analysis shows employees still aren’t getting the message|http://www.itworldcanada.com/article/password-analysis-shows-employees-still-arent-getting-the-message/392287|target='_blank'] - based on information obtained 2017-04-13-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop