How it works?
When a web application has weak policies and weak authentication mechanisms, an attacker can use a tool called burp suite ( proxy interception tool ) to intercept the login request then it can be intruded by dictionary attacks.
Stopping these attacks from happening is actually more complicated than you think.
Here is a list of things to keep in mind for strong authentication mechanisms.
- Do not reveal too much information about the user such as error/success login attempts.
- Externalize the passwords ( Hashes with salts ) or ( store them in an encrypted file )
- Strong password policies ( Lockouts, aging, hashes with salts, strong passwords )
- Add a rule in your policies that disallows dictionary-based attacks.
- The previous password prevented ( after X attempts )
- Account lockout after the threshold reached
Demonstration Of The Attack
If you have any questions please comment below.