Print this chapterPrint this chapter

Access Control Fundamentals

10. Access Control Threats

10.11. Dictionary Attacks

Overview
  • Dictionary attacks are launched by programs which are fed with lists (dictionaries) of commonly used words or combinations of characters and then compares these values to capture passwords.
  • Once the right combination of characters is identified, the attacker can use this password to authenticate herself as a legitimate user.
  • Sometimes the attacker can even capture the password file using this kind of activity.


Countermeasures

To properly protect an environment against dictionary and other password attacks, the following practices should be followed:

  • Do not allow passwords to be sent in cleartext.
  • Encrypt the passwords with encryption algorithms or hashing functions.
  • Employ one-time password tokens.
  • Use hard-to-guess passwords.
  • Rotate passwords frequently.
  • Employ an IDS to detect suspicious behavior.
  • Use dictionary cracking tools to find weak passwords chosen by users.
  • Use special characters, numbers, and upper- and lowercase letters within the password.