Re: Detecting Brute-Force and Dictionary attacks



Hi

What if you store the lengths of the passwords instead? With a typo
they won't be off by more than perhaps one or two characters, but with
a brutce force or dictionary attack they would be way off. Another
idea might be to have a dictionary list, and see if any of the tried
passwords is a dictionary word. For the users, there would be rules
against having dictionary words as passwords, and one could implement
the same principle there: If the chosen password matches a dictionary
word, a no-no message is what you get. In the case that the attacker
knows the password policies (if it's an open system where everyone can
register, for instance), at least you have gotten ridden of dictionary
attacks for good.

Best regards
Christian J

On 11/9/06, fabio <ctrlaltca@xxxxxxxxx> wrote:
The idea is simple and good, but there's a problem in its
implementation: usually modern systems doesn't compare the password you
write with the saved password; instead, they compare an hash of your
password attempt with the saved hash of your current password. By
design, two similar string have strongly different hashes. So you can't
compare two hashes and say if they correspond to two similar words.
Greets,
Fabio



Sebastiaan Veenstra wrote:
> Hi,
>
> I didn't read the whole discussion about this issue but I came up with
> an idea which might be usefull to detect brute force attempt. By
> storing the passwords a certain user has used in the past along with
> the current password you could be able to compare to password (by
> pattern matching) used at the login attempts with the passwords list.
> If the password used differs significantly (this excludes typos) from
> the entries in the password list, there could be a possible brute
> force attempt. The reason for storing the previous passwords is that
> people tend to use every password they've used in the past when they
> forgot their password. Maybe this idea can be used along with the
> other methods of detecting brute force attempts. Anyway, it's just a
> random thought.
>
> Greets,
>
> Sebastiaan
>





Relevant Pages

  • Re: Detecting Brute-Force and Dictionary attacks
    ... characters, if u say more than two characters is a bague assumption, ... passwords is a dictionary word. ... usually modern systems doesn't compare the password you ... >> an idea which might be usefull to detect brute force attempt. ...
    (Focus-Linux)
  • Re: Detecting Brute-Force and Dictionary attacks
    ... usually modern systems doesn't compare the password you ... write with the saved password; instead, they compare an hash of your ... password attempt with the saved hash of your current password. ... an idea which might be usefull to detect brute force attempt. ...
    (Focus-Linux)
  • Re: Why Linux take so long to process username and password?
    ... > permits if there is no delay, thus making brute force cracking attempts ... > becomes even easier if the cracker runs through every dictionary word and ... > letters) words from a dictionary to be used as a brute force crack key. ... Fundamentalism is fundamentally wrong. ...
    (linux.redhat.misc)
  • Re: Detecting Brute-Force and Dictionary attacks
    ... usually modern systems doesn't compare the password you ... write with the saved password; instead, they compare an hash of your ... an idea which might be usefull to detect brute force attempt. ... The reason for storing the previous passwords is that ...
    (Focus-Linux)
  • Re: How do I compare strings non-ascii-betically?
    ... I have to compare strings that are version numbers. ... Brute force, should work, could be improved with a hammer ...
    (comp.lang.perl.misc)