October 10, 2005

Brute Force Attacks.

Brute Force attacks are closely related to dictionary attacks. Brute force attack generates random user ids and passwords instead of reading them from a dictionary file.

You should be more concerned about dictionary attack than a brute force attack. A typical password dictionary has roughly 1,000,000 entries of common passwords. These include people’s names, common pet names, and ordinary words. Suppose an efficient dictionary attack can generate and analyze 10 guesses per second. If a user’s password is in the dictionary, the attack will succeed in at most 100,000 seconds or approximately 28 hours.

Now suppose a user has a six-character password that consists of upper-and lowercase letters, digits and 32 punctuation characters. There are 689,869,781,056 password combinations. A brute force attack would require 1,093 years on average to find the correct password. This comparison doesn’t mean brute force attacks aren’t a threat, but it does make it clear how much more dangerous dictionary attacks are. I will post a code sample about how to create a dictionary attack & how we can prevent from it. So stay tuned.

No comments: