Attacks: Password Guessing

Attacks: Password Guessing

by Ted Hersey


Password attacks are a well studied, but still dangerous form of attack. They are often performed together with other attacks. If even a small amount of information is gathered through other means, it can assist in manual password attacks. Even without this data, there are automated tools, which can guess many passwords in a short period of time. A look at the techniques used to guess passwords will reinforce the need to use strong password procedures and policies as protection.

In Combination with other Attacks

Attacks on passwords are often carried out in conjunction with other attacks. The more information an attacker can gain about a system and about individual users, the greater his chance of success in a password attack. The starting point can be as simple as searching the company's web site for user names and system hardware. It can expand to social engineering and dumpster diving. The attacker may actually get a password with these attacks, but more likely they will get information about the company and employee names that will help in future password guessing. With even a small amount of data, a manual or automated attack can be launched.

Manual Attacks

Manual attacks usually start with the easiest to guess passwords. This is often no password at all or words like "password," "guest," or "secret." One study found that "around 50% of computer users base [passwords] on the name of a family member, partner or a pet. Thirty percent look to a pop idol or sporting hero." [1] With just a little personal data, many passwords can be guessed.

If the attacker has learned what hardware or software you use, they will know the common default password settings, and begin guessing with these. "For example Computer Associates ARCServ backup software creates a highly privileged user account called "arcserve," which is usually set with a password of "arcserve" or "backup." [2] Armed with knowledge like this, the attackers guessing job is easy. A company's operating procedures must ensure that all default passwords are changed when new hardware and software is installed.

Automated Attacks

If the attacker fails in a manual attack, they may move to an automated attack. There are many free programs, which can assist in this. Legion, Jack the Ripper, NetBIOS Auditing Tool (NAT), and L0phtCrack (LC4) are some of them.

Automated password attacks can be divided into two basic categories, dictionary attacks and brute force attacks. "A simple dictionary attack is by far the fastest way to break into a machine. A dictionary file (a text file full of dictionary words) is loaded into a cracking application such as L0phtCrack, which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to do the job." [3]

The brute force method is the most comprehensive and the slowest. It will try every possible letter and number combination in its automated search. Less time consuming than this attack is a hybrid approach which starts with a dictionary and then tries combinations such as two words together or a word and numbers.

Many systems only allow several guesses at a password before the user is locked out. In that case automated programs will not work well on-line. But if a password file can be stolen, even in encrypted or hashed form, these programs can guess off-line. Then, success is only a matter of time. But, if the password is long enough that can be a long time. "Although some password cracking programs can test nearly 8 million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average." [4]

Internal vs. External Attacks:

Password attacks can come from outsiders or people inside the company. Insiders are particularly dangerous. They have physical access to your network, user desktops and other materials. They also know your password and login creation procedures. An insider can place a sniffer or protocol analyzer (such as Sniffer Pro or Etherpeek) on his machine, and watch network traffic. He will gather information off the network, a desktop, or just by watching someone type, that can assist a password attack.

Perhaps most importantly, they have access to information about users. This can make guessing easy. For example, if your boss played football for Michigan St., you might try to login as him with "Spartans" as your password.

Defensive Passwords

We can see from the overview of attack styles, that many defenses are straightforward. To protect from social engineering and dumpster divers, passwords should never be written and left around the desktop. Users need to be aware of the threat and take personal responsibility not to give their personal computer information to someone they do not know. Disposal of waste paper is also a company security issue. This is just another example of why trash should be shredded or destroyed.

From a technical standpoint, security can be tightened by using standards such as the US government's "Federal Information Processing Standards Publication 112" (FIPS PUB 112). [5] This standard's recommendations for a high level of protection include: a password length of 6-8 randomly generated characters, using all 95 characters (upper and lower case, numerals and special characters), and changing the password every month.


Password security is a well-studied problem. The attack methods are well understood. And yet, systems are constantly found to be vulnerable to this type of attack. It points to an issue with corporate security policy. In this case, security is not a major technical issue. What is required is establishing a solid policy and a lot of continuous work adhering to the policy. The natural tendency for companies and users is to let these issues slide. The result can be a wide-open system to outsiders.


[1] HREF=" "UK study: Passwords often easy to crack".
[2] McClure, Scambray, and Kurtz. "Hacking Exposed: Network Security". P.113
[3] HREF="
Rob Shimonski. "Hacking Techniques".
[4] HREF="
Rob Lemos. "Passwords: the weakest link?.
[5] HREF="
"Federal Information Processing Standards Publication 112"