We’ll discuss brute-force and dictionary attacks together because they are waged against the same entity: passwords. Either type of attack can be waged against a password database file or against an active logon prompt.
A brute-force attack is an attempt to discover passwords for user accounts by systematically attempting every possible combination of letters, numbers, and symbols. With the speed of modern computers and the ability to employ distributed computing, brute-force attacks are becoming suc- cessful even against strong passwords. With enough time, all passwords can be discovered using a brute-force attack method. Most passwords of 14 characters or less can be discovered within 7 days on a fast system using a brute-force attack program against a stolen password database file (the actual time it takes to discover passwords depends upon the encryption algorithm used to encrypt them).
In theory, this window can be exploited in a time-memory trade-off known as rainbow tables.
Precomputed inputs (passwords and password combinations) are compactly represented in an iterated series of variations that make up a dictionary of possible password hashes. These pre- computed hashes are then referenced against target hashes to find a matching entry. Two imme- diate problems arise: any given password must be predetermined by some means (dictionary word lists, combinations and variations of alphanumeric elements, and so on) and contain no password salts, which extend the length and complexity of a password entry. Both of these con- ditions make rainbow tables effective only so long as the target password is knowable and pre- dictably defined. Nevertheless, rainbow tables often play a complementary front-runner role to more exhaustive brute-force methods.
The longer the password (or the greater the number of keys in an algorithm’s key space), the more costly and time-consuming a brute-force attack becomes. When the number of pos- sibilities is increased, the cost of performing an exhaustive attack increases as well. In other words, the longer the password, the more secure against brute-force attacks it is.
A dictionary attack is an attempt to discover passwords by attempting to use every possible password from a predefined list of common or expected passwords. This type of attack is named such because the possible password list is so long, it is as if you were using the entire dictionary one word at a time to discover passwords.
Password attacks employ a specific cryptographic attack method known as the birthday
attack (see Chapter 10, “PKI and Cryptographic Applications”). This attack is also called
reverse hash matching or the exploitation of collision. Basically, the attack exploits the fact that if two messages are hashed and the hash values are the same, then the two messages are probably the same. A way of expressing this in mathematical or cryptographic notation is H(M)=H(M'). Passwords are stored in an account’s database file on secured systems. However, instead of being stored as plain text, passwords are hashed, and only their hash values are actually stored. This
Methods of Attack 57
provides a reasonable level of protection. However, using reverse hash matching, a password attacker tool looks for possible passwords (through either brute-force or dictionary methods) that have the same hash value as a value stored in the account’s database file. When a hash value
match is discovered, then the tool is said to have cracked the password.
Combinations of these two password attack methodologies can be used as well. For example, a brute-force attack could use a dictionary list as the source of its guesswork.
Dictionary attacks are often successful because of the predictability of human nature to select passwords based on personal experiences. Unfortunately, those personal experiences are often broadcast to the world around you simply by the way you live and act on a daily basis. If you are a sports fan, your password might be based on a player’s name or a hit record. If you have children, your password might be based on their names or birth dates. If you work in a technical industry, your password might be based on industry acronyms or product names. The more data about a victim learned through intelligence gathering, dumpster diving, and social engineering, the more successful a custom dictionary list will be.
Protecting passwords from brute-force and dictionary attacks requires numerous security precautions and rigid adherence to a strong security policy:
Controlling physical access to systems You must control physical access to your systems. If a malicious entity can gain physical access to an authentication server, they can often steal the password file within seconds. Once a password file is stolen, all passwords should be considered compromised.
Brute Force Beats Finesse
Brute-force login attacks are relatively simple and rather effective against many types of tar- gets. Claire sees thousands of failed and unauthorized connection attempts to her Internet- facing SSH servers, which includes Damien’s constant inability to remember his own pass- word. The effectiveness of a brute-force login attack hinges entirely on the notion that people tend to seek the path of least resistance, which in this case means using easily guessed pass- words devoid of creativity or variation.
Claire runs a modified version of the SSH server that thwarts brute-force attempts and includes a user/group access list for its configuration, but she also wisely deploys an access list of permitted IPs on the firewall. This gives her several layers of protection over lesser- experienced administrators who don’t enforce strong password choices or configurations and rule sets.
She knows that for every Damien in her user group who can’t understand why his password is a certain length and difficulty level, there’s an Elaine or Frank on some other network who never forgets their password. Neither does the surreptitious attacker who keeps using their accounts whose password he found through a dictionary-driven attack.
58 Chapter 2 Attacks and Monitoring
Controlling electronic access to password files Tightly control and monitor electronic access to password files. End users and those who are not account administrators have no need to access the password database file for regular, daily work tasks. If you discover an unauthorized access to the database file, investigate immediately. If you cannot determine that a valid access occurred, then consider all passwords compromised.
Creating a strong password policy Craft a password policy that programmatically enforces
strong passwords and prescribe means by which end users can create stronger passwords. The stronger and longer the password, the longer it will take for it to be discovered in a brute-force attack. However, with enough time, all passwords can be discovered via brute-force methods. Thus, changing passwords regularly is required to maintain security. Static passwords older than 30 days should be considered compromised even if no other aspect of a security breach has been discovered.
Deploying two-factor authentication Deploy two-factor authentication, such as using bio-
metrics or token devices. If passwords are not the only means used to protect the security of a network, their compromise will not automatically result in a system breach.
Using account lockout controls Use account lockout controls to prevent brute-force and
dictionary attacks against logon prompts. For those systems and services that don’t support account lockout controls, such as most FTP servers, employ extensive logging and an IDS to look for attempted fast and slow password attacks.
Encrypting password files Encrypt password files with the strongest encryption available for
your OS. Maintain rigid control over all media that have a copy of the password database file, such as backup tapes and some types of boot or repair disks.
Passwords are a poor security mechanism when used as a sole deterrent against unautho- rized access. Brute-force and dictionary attacks show that passwords alone offer little more than a temporary blockade. Don’t lose sight of the importance of physical security, multifactor authentication, and constant monitoring of access behaviors and patterns of use.