Horizontal Password Guessing Attacks Part I

Monday, January 20, 2014

Vince Kornacki


​If security is a heavy duty chain, what's the weakest link? I'll give you a hint, it might be scribbled on a little yellow sticky note stuck on your monitor or stashed under your keyboard! That's right, passwords are the culprit! Brute force password guessing attacks are a favorite technique of malicious attackers everywhere. Whether the target is an SSH server, a financial web application, or a webmail application, as you read this sentence an attacker somewhere is launching a brute force password guessing attack. And before you finish this blog post, that attacker has likely cracked a password or two.

So what's the solution? Account lockout is widely regarded as an effective deterrent to brute force password guessing attacks. After a certain number of unsuccessful login attempts within a certain amount of time, the target user account is locked out for a certain amount of time. For example, after three unsuccessful login attempts within one hour, the target user account might be locked out for 15 minutes. Account lockout accomplishes two important goals. First, account lockout throttles how quickly attackers can guess passwords. In this example attackers can only 12 passwords per hour. A typical wordlist might contain thousands of potential passwords. Factor in substitution rules (for example substituting the "@" character for the "a" character) and suffix rules (for example appending a "1" to the password) and the number of required guesses could take a loooooooong time to process. Second, account lockout alerts administrators that an attack is currently under way. Savvy administrators could implement countermeasures such as implementing incrementing pauses between failed login attempts or even blocking the offending source IP address entirely.

So what's a shrewd attacker to do? As Olivia Newton-John once crooned, "there's nothing left to talk about unless it's horizontally!" Horizontal password guessing attacks eliminate both of the aforementioned nuisances and allow attackers to get the biggest bang for their buck. Instead of trying a long list of passwords against a single account (a vertical password guessing attack), a horizontal password guessing attack entails trying just a few common passwords against a long list of usernames. Account lockout is almost always enforced per username, not per password, so limiting the number of login attempts per username allows attackers to sidestep account lockout.

Let's step into the shoes of a malicious attacker and brainstorm a horizontal password guessing attack. Grab your Cheetos and Mountain Dew and let's get this party started. The first question is simple. What passwords should we guess? Every year SplashData compiles a list of the most common passwords identified as a result of security breaches. The 2012 list was compiled from security breaches at major sites including Yahoo, LinkedIn, and eHarmony. Here are the worst of the worst, the ten most common passwords in the wild:

      1. password
      2. 123456
      3. 12345678
      4. abc123
      5. qwerty
      6. monkey
      7. letmein
      8. dragon
      9. 111111
    10. baseball

That's our list of ten target passwords! In addition, to be even stealthier we can break this list into five groups, trying only two of the passwords each hour. This conservative timetable will allow us to fly under the radar and almost certainly evade account lockout. Like a ninja! Well that's great for passwords, but what about usernames? We'll tackle this question in the next blog post! Stay tuned!

Cross Posted from the Symantec Cyber Readiness and Response Blog

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.