Anandu Aman

Anatomy of the Dark Side If you run a service with authentication, your servers will be targeted with brute force attempts. There are a couple of interesting attacks here that we will explain, and cover controls for including     Standard Brute Force,     Wordlists,     Targeted Wordlists and     Credential Stuffing. Brute Force and Password Entropy An actual brute force attack involves iteratively/repetitively generating possible passwords. Think ‘A’, ‘B’, … ‘AA’, ‘AB’, … and so on. This kind of attack is unlikely to occur over network due to the number of attempts expected to succeed. Although, theoretically, this could ultimately break any password, the network is too slow to try this. For instance, a week password of just 5 characters would like ~(95)^5 about 7 Billion passwords. Trying passwords randomly, we expect a 50% chance of success after covering 50% the space or 3.5 Billion. At 10 passwords per second this would take 4,000 years. This tactic simply isn’t viable

✨There are a number of techniques that can be used to crack passwords. We will describe the most commonly used ones below ; 🌀Dictionary attack – This method involves the use of a wordlist to compare against user passwords. 🌀Brute force attack – This method is similar to the dictionary attack. Brute force attacks use algorithms that combine alpha-numeric characters and symbols to come up with passwords for the attack. For example, a password of the value “password” can also be tried as p@$$word using the brute force attack. 🌀Rainbow table attack – This method uses pre-computed hashes. Let’s assume that we have a database which stores passwords as md5 hashes. We can create another database that has md5 hashes of commonly used passwords. We can then compare the password hash we have against the stored hashes in the database. If a match is found, then we have the password. 🌀Guess – As the name suggests, this method involves guessing. Passwords such as qwerty, password, admi