<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (or Password Guessing) refers to an [attack] method that takes a large number of [usernames] and loops them with a single [password]. 


The [attacker] can use multiple iterations using a number of different [passwords], but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids [Intruder Lockout Checks], and it is often more effective at uncovering weak passwords than targeting specific users.

[{$pagename}] is an [Attack] may be performed off-line typically using some [Heuristic Attacks] designed for such attacks.


[{$pagename}] [Heuristic Attack] [applications] are quite effective. Considers these numbers:[1]
* 2 minutes – the time taken for the first pass with a [Password Dictionary] and 64 rules to crack the first 38,000 [passwords]’
* Just under five days – time taken to brute force all [passwords] up through eight characters in length;
* 12 – average number of passwords cracked per user account (either because they used a poor password, or it was eight characters or less, or both;
* 87.8 per cent of the [passwords] cracked were broken using the easily available CrackStation password cracking [Password Dictionary]. By comparison only 12.2 per cent of the passwords cracked via brute force. The lesson, the author says, is using wordlists is very efficient;
* 27 characters – the longest password cracked; It was a name and digits repeated several times (Lesson: Employees do understand they have to use more than eight characters, and they still cheat), Someone used “Thisisalongpassword.”  That wasn’t bad — except they used the string more than once, so it was cracked.

!! Why are [{$pagename}] done off-line?
Hopefully most [Applications] utilize some sort of [Server-Side Login throttling schemes] and / or [Intruder Detection] methods. So it is common for an [Attacker] to steal a document or [password] store, even if it is [Encrypted|Encryption] where the [Brute-Force] [{$pagename}] can be performed.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Password analysis shows employees still aren’t getting the message|http://www.itworldcanada.com/article/password-analysis-shows-employees-still-arent-getting-the-message/392287|target='_blank'] - based on information obtained 2017-04-13- 
</pre>