CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
Last updated
Overview
A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine application's/system's password policy] Determine the password policies of the target application/system.
- Determine minimum and maximum allowed password lengths.
- Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
- Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
- Step 2Exploit
[Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
- Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
- Perform an offline dictionary attack or a rainbow table attack against a known password hash.
What the attacker needs
Prerequisites
- An adversary needs to know a username to target.
- The system uses password based authentication as the one factor authentication mechanism.
- An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.
Skills required
- Low skill: A brute force attack is very straightforward. A variety of password cracking tools are widely available.
Resources required
- A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).
Consequences
What a successful CAPEC-49 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-49.
- Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
- Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
- Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
How to detect it
Indicators that this attack may be underway.
- Many incorrect login attempts are detected by the system.
Examples
A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the adversary does not know the length of the users' password, an adversary can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the adversary were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger. An adversary's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.
A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143
Terminology & mappings
Mapped taxonomies
- ATTACK: Brute Force:Password Guessing (1110.001)
Frequently asked questions
Common questions about CAPEC-49.
- What is CAPEC-49?
- An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
- How does a Password Brute Forcing attack work?
- It typically unfolds over 2 phases. It begins with: [Determine application's/system's password policy] Determine the password policies of the target application/system.
- How do you prevent CAPEC-49?
- Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
- What weaknesses does CAPEC-49 target?
- CAPEC-49 exploits 8 CWE weaknesses, including CWE-257 (Storing Passwords in a Recoverable Format), CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-307 (Improper Restriction of Excessive Authentication Attempts).
- How severe is CAPEC-49?
- MITRE rates CAPEC-49 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-49
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.