CAPEC-49
Password Brute Forcing
Medium
High
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2022-02-22
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Descriptions CAPEC
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
Informations CAPEC
Execution Flow
1) Explore
[Determine application's/system's password policy] Determine the password policies of the target application/system.
Technique
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
2) Exploit
[Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
Technique
- Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
- Perform an offline dictionary attack or a rainbow table attack against a known password hash.
Prerequisites
An adversary needs to know a username to target.The system uses password based authentication as the one factor authentication mechanism.
An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.
Skills Required
A brute force attack is very straightforward. A variety of password cracking tools are widely available.Resources Required
A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).Mitigations
Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
Related Weaknesses
| Weakness Name | |
|---|---|
CWE-521 |
Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts. |
CWE-262 |
Not Using Password Aging The product does not have a mechanism in place for managing password aging. |
CWE-263 |
Password Aging with Long Expiration The product supports password aging, but the expiration period is too long. |
CWE-257 |
Storing Passwords in a Recoverable Format The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
CWE-654 |
Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
CWE-307 |
Improper Restriction of Excessive Authentication Attempts The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
CWE-308 |
Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
CWE-309 |
Use of Password System for Primary Authentication The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. |
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances | |
| CAPEC Content Team | The MITRE Corporation | Updated References | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Taxonomy_Mappings | |
| CAPEC Content Team | The MITRE Corporation | Updated Consequences, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Extended_Description |
2025©
tesweb SA
