Name Dictionary-based Password Attack
Summary An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Prerequisites The system uses one factor password based authentication. The system does not have a sound password policy that is being enforced. The system does not implement an effective password throttling mechanism.
Solutions Create a strong password policy and ensure that your system enforces this policy. Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-02.
Related Weaknesses
CWE ID Description
CWE-262 Not Using Password Aging
CWE-263 Password Aging with Long Expiration
CWE-521 Weak Password Requirements
CWE-693 Protection Mechanism Failure
Back to Top