|Name ||Dictionary-based Password Attack |
|Summary ||An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. |
|Prerequisites ||The system uses one factor password based authentication.
The system does not have a sound password policy that is being enforced.
The system does not implement an effective password throttling mechanism. |
|Solutions ||Create a strong password policy and ensure that your system enforces this policy.
Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-02. |
|CWE ID ||Description |
|CWE-262 ||Not Using Password Aging |
|CWE-263 ||Password Aging with Long Expiration |
|CWE-521 ||Weak Password Requirements |
|CWE-693 ||Protection Mechanism Failure |