Combating Dictionary Attacks

Password attack is a generic term used to describe various activities

attempting to crack, alter, delete, or tamper with a system's password

database in order to break into it or jeopardize its security. A

dictionary attack, however, is a special type of password attack. It

attempts to "reverse engineer" users passwords on a given machine.

How does a dictionary attack actually work?

Linux uses the DES algorithm, which is not invincible, to encrypt

users' passwords. As Linux requires relatively short passwords, users

often choose passwords that are easy to guess. A dictionary attack

takes advantage of these factors in order to crack passwords.

Attackers use a dictionary, or a list of words, and encrypt them using

the DES algorithm. A typical word list might contain the entire Webster

dictionary or similar corpuses of nouns, adjectives, and proper names.

Sophisticated software tools, such as Crack, manipulate the words in a

dictionary by reversing and chopping them, affixing numbers to their

ends, changing letters' case, etc.... Crack can transform each word

into no less than 4096 distinct strings! After generating all the

permutations, the password-cracking tool encrypts them using the DES

algorithm and compares the result with the list of encrypted passwords

located at /etc/passwd on the target host. Using a fast machine and

clever password-cracking tools, cracking a password takes a matter of

minutes.

How can you protect your system from such dictionary attacks?

As always, avoid passwords that are too easy to guess. Several

utilities enable a system administrator to enforce strict password

policies by disabling short passwords or disabling nouns and proper

names altogether. A password that consists of a combination of random

letters, special characters, and numbers is less susceptible to

dictionary attacks. Remember to also change passwords frequently.

Finally, use additional user authentication means and protection

measures such as disabling inactive accounts, intrusion detection

utilities, and restricted authorizations.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies