Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.11  Password Guessing

Previous Topic/Section  Brute Force
Previous Page
Pages in Current Topic/Section
Next Page
1.4.12  Software Exploitation
Next Topic/Section  Dictionary

Currently in the *nix world, dictionary cracking is the most popular exploit. The FAQ of this work states that this is not a treasure map for folks who want to do damage. We have included the footnote to John the Ripper88 because the download site appears right at the top of Google; so, we are not giving anything away here. John The Ripper works on both DOS and UNIX based systems and a CD can be ordered that contains 20 different languages. It is a whopping $15 USD airmailed to any address in the world. A popular non-free (after 15-day trial) package that can be used to audit Windows NT and 2000 passwords for susceptibility to dictionary attacks is LC4 (aka L0phtCrack 4), by @Stake.89

By comparing a large number of common words sorted by popularity, the dictionary attack can be quite effective. Additionally, don’t think you’re safe from dictionary attacks if you tack a # or 4 on the end of your password, because dictionary attacks aren’t limited to just trying words that are in the dictionary. It’s common for dictionary attack programs to also prepend and append special characters and letters to dictionary words, or even make common numeric/symbol substitutions for letters such as 0 for o and ! for I or L, when trying to determine a password.

Dictionary Attack

A dictionary attack is a brute force attack in which common words from a dictionary are used to generate many thousands of potential passwords, which are compared with the real password in some way. If the comparison comes back valid, the attacker knows that the word they tried is the user’s password.

Both dictionary and brute force password guessing attacks can be carried out in one of two ways, one more difficult to detect than the other:

  • Encrypting the current “trial” password and comparing it to a copy of the encrypted password that the user has obtained

  • Using some system facility (like a telnet logon) to submit the current “trial” password for login verification, and letting the system’s response tell you whether or not you’ve found the correct password

The first is typically more of a threat since it is more likely to be accomplished without triggering any system alarms, and thus go undetected until the intruder uses one of the cracked passwords. It does, however, require that the user have access to the encrypted password values (possible on Windows via tools like LC4, and on UNIX systems that are not configured to use shadow passwords). Fortunately, this approach doesn’t work everywhere.

The second method is still a threat, but normally systems can be configured to lock out accounts after a certain number of invalid password attempts, to help prevent attacks that involve password guessing.

Be aware that depending on what applications are in use on your system, it may be possible to perform validation without logging any incorrect attempts, and thus not alerting anyone to the attack. How? Some network-based and web-based applications request user ID/password information.

In some cases, this information is validated against OS user and password information using OS validation functions … but unlike the OS logon validation program, the application doesn’t write entries into system logs when it encounters invalid user/password combinations, or lock out a user from further attempts after a certain number of unsuccessful tries. This is yet another example of how additional services and applications installed on a system can increase its vulnerability.

Benchmark and Improve Your User Community’s Password Quality

This is one of those exercises we hesitated to recommend, but ultimately had to come down on the side of, “ignorance is not bliss,” because avoiding this information yourself won’t prevent a cracker from obtaining it, and it’s better for you to know what information he or she could obtain, in advance.

If you are authorized (and we mean officially – ideally obtain your manager’s signature on a piece of paper stating what you’re about to do) and feel personally comfortable with the activity, download one of the password cracker programs which runs on your system of choice. If it allows you to target only a segment of your full password file, do limit your initial test to a couple dozen entries to reduce the amount of time it will take to run. And then start it up. If you’ve never run one on your system before, and your users are about par for the course, expect it to report a few cracked passwords. You can then use this information to discover which users need more education about password choices… or perhaps even to justify installing an enhanced new password validation program on the system. Rather than catching simplistic passwords after the fact, some operating systems and third-party products allow you to check a new password’s vulnerability to brute force attacks when the user first enters it, and to inform the user to select an alternate password if it seems not strong enough.




Previous Topic/Section  Brute Force
Previous Page
Pages in Current Topic/Section
Next Page
1.4.12  Software Exploitation
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.