Best practices to prevent attackers who steal credentials via brute-force 和 dictionary attacks.
2023年中威胁报告“An attack in which cybercriminals utilize trial-和-error tactics to decode passwords, 个人识别号码(pin), 和 other forms of login data by leveraging automated software to test large quantities of possible combinations.”
“A type of brute force attack where an intruder attempts to crack a password-protected security system with a “dictionary list” of common words 和 phrases used by businesses 和 individuals.”
两者都很常见 网络安全攻击的类型 in which an attacker tries to log in to a user’s account by systematically checking 和 attempting all possible passwords 和 passphrases until the correct one is found. 这些暴力攻击和字典攻击很常见, due to large quantities of individuals reusing common password variations.
After all, the easiest way to attack a system is through the front door, 和 there must be 一些 登录方式. 如果你有证书, 你可以像普通用户一样登录, 可能不会生成可疑的日志条目, 脱扣IDS签名, 或者需要一个未修补的 脆弱性. If you have the credentials for the system administrator, life is even easier. Attackers have neither of these luxuries; here’s an overview of how they utilize brute-force 和 dictionary attacks to gain access.
攻击者缺乏正常登录所需的凭据, so they’ll frequently start their attack by looking for a target's email address or domain in password dumps from a compromised website. If the target reused their password on a website that was later compromised, 该密码可能仍然有效. 但 savvy users (和 hopefully sysadmins) will use unique passwords everywhere. So the attacker must now turn to one of two more direct attacks: dictionary attacks 和 brute-force attacks.
在字典攻击中, the attacker utilizes a wordlist in the hopes that the user’s password is a commonly used word (or a password seen in previous sites). Dictionary attacks are optimal for passwords that are based on a simple word (e.g. “牛仔”或“长角牛”). Wordlists aren’t restricted to 英语 words; they often also include common passwords (e.g. 'password '、'letmein '、'iloveyou '或'123456').但 modern systems restrict their users from such simple passwords, requiring users to come up with strong passwords that would hopefully not be found in a wordlist.
进行暴力攻击, an attacker may use a tool to attempt every combination of letters 和 数字, 期望最终能猜出密码. If the attacker knows that an organization requires special characters in their password, 可以指示该工具包含字母, 数字, 和符号. Every password, no matter how strong, is vulnerable to this attack. 然而, this method is going to take a while (years, if the password is long enough).
The length of time required to crack a short password (such as a four-digit PIN) might be under a minute. 将其扩展到6个字符可能需要一个小时. Extending that to eight characters, with both letters 和符号, might take days. Note that each new character exponentially increases the amount of time necessary for a brute-force attack to discover the password. 因此,一个强大而冗长的密码可能需要数周或数月的时间. 但, with enough computing power 和 a particularly dedicated attacker, 密码最终会被发现.
Using a strong, uncommon password will make an attacker's job more difficult, but not impossible. Luckily there are more preventative measures that end users 和 system admin can take to prevent (or detect) these attack attempts:
减慢重复登录: 这是最简单的对策. 最终用户不太可能注意到0.登录时延迟1秒, 但对于攻击者来说,这种延迟会很快累积起来, 特别是如果他们不能并行尝试的话.
多次登录失败后强制验证码: While a user could have simply forgotten which password they used for the account, 这将有助于显著降低攻击者的速度. 这是一个伟大的 威慑 method as for modern captchas are difficult to defeat with computers. 许多验证码需要人工输入才能解决.
锁定账户: 甚至更好的, a system can be configured to lock an account after a specified number of attempted logins. Many websites will trigger additional protections for accounts with repeated bad password attempts. In the extreme case, for example, an i电话 will self-destruct (wipe all data) after 10 tries.
更新密码: Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, 或者甚至每30天一次. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed.
If the password changes during that time frame, the attacker will need to start over. 然而, 正如许多用户承认的那样, 这些严格的密码要求可能会适得其反, 用户选择更弱的, 顺序密码('longhorns2018,“longhorns2019,等等). 攻击者会很快尝试增加密码.
监测异常情况: 最后, a security-conscious organization should be monitoring user accounts for anomalies, 例如从无法识别的位置或设备登录, 或多次登录失败. 一个工作人员 安全运营中心(SOC) can detect these events in real time 和 quickly respond by locking down an account, 阻断IP地址, 联系用户, 寻找这个特定攻击者的进一步活动.
反对简单系统, 字典攻击和暴力攻击很容易, 前门有保证的通道. 在更复杂的环境中, these attacks are only useful when attempts can blend into normal activity or target an offline password database to crack password hashes. 仍然, these techniques are excellent additions to any security professional's tool belt, 和 they emphasize the importance of regularly updating strong passwords for end users.