CAPEC-49: Password Brute Forcing

Description
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
Extended Description

A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.

Severity :

High

Possibility :

Medium

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-16: Dictionary-based Password Attack Dictionary-based Password Attack CAPEC-55: Rainbow Table Password Cracking Rainbow Table Password Cracking CAPEC-70: Try Common or Default Usernames and Passwords Try Common or Default Usernames and Passwords CAPEC-112: Brute Force Brute Force CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-560: Use of Known Domain Credentials Use of Known Domain Credentials CAPEC-561: Windows Admin Shares with Stolen Credentials Windows Admin Shares with Stolen Credentials CAPEC-565: Password Spraying Password Spraying CAPEC-600: Credential Stuffing Credential Stuffing CAPEC-653: Use of Known Operating System Credentials Use of Known Operating System Credentials
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An adversary needs to know a username to target.
  • The system uses password based authentication as the one factor authentication mechanism.
  • An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low A brute force attack is very straightforward. A variety of password cracking tools are widely available.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Brute Force:Password Guessing
Resources required

A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-257: Storing Passwords in a Recoverable Format

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-521: Weak Password Requirements

CWE-654: Reliance on a Single Factor in a Security Decision

Visit http://capec.mitre.org/ for more details.