Broken Authentication: Bruteforcing Passwords

How it works?

When a web application has weak policies and weak authentication mechanisms, an attacker can use a tool called burp suite ( proxy interception tool ) to intercept the login request then it can be intruded by dictionary attacks.

 

Document:

https://1drv.ms/w/s!Ao7F-KRHEeYLhVOhfYVeezr8L6GO

Mitigations

Stopping these attacks from happening is actually more complicated than you think.

Here is a list of things to keep in mind for strong authentication mechanisms.

  • Do not reveal too much information about the user such as error/success login attempts.
  • Externalize the passwords ( Hashes with salts ) or ( store them in an encrypted file )
  • Strong password policies ( Lockouts, aging, hashes with salts, strong passwords )
  • Add a rule in your policies that disallows dictionary-based attacks.
  • The previous password prevented ( after X attempts )
  • Account lockout after the threshold reached

Demonstration Of The Attack

If you have any questions please comment below.