Datasheet
456
Identifying Types of Attacks
Also note that because there are dictionary files for different languages you
should not use words found in any dictionary. This means avoiding not only
English words, but also French, German, Hebrew . . . even Klingon!
A second type of password attack is known as a hybrid password attack. A
hybrid password attack is like a dictionary attack in the sense it uses a dictionary
file, but it also tries variations of the password by placing numbers on the
end of the word and sometimes replacing popular characters. For example,
after the hybrid attack program tries all the passwords in the dictionary file,
it may then try them again by replacing any letter a with @ in the words.
Hackers can also perform a brute force attack. With a brute force attack,
instead of trying to use words from a dictionary file, the hacker uses a
program that tries to figure out your password by mathematically calculating
all potential passwords with a certain length and set of characters. Figure 1-1
shows a popular password-cracking tool known as LC4. Tools like this are great
for network administrators to audit how strong their users’ passwords are.
Figure 1-1:
Cracking
passwords
with LC4.
To protect against dictionary attacks, we use strong passwords, but to
protect against a brute force password attack, we must implement an
account lockout policy, where after three bad logon attempts, the account is
locked and cannot be used.
If you have configured an account lockout policy to protect your account
database, understand that only works if the hacker is connected to your
network and attempting to hack into live systems (known as an online
attack). If the hacker can get a copy of your account database, or hashed
passwords in a configuration file, and take that away with him (known as an
offline attack) then there is no protection against the brute force attack.
22_647486-bk04ch01.indd 45622_647486-bk04ch01.indd 456 10/15/10 11:27 PM10/15/10 11:27 PM