T 5.18 Systematic trying-out of passwords

Passwords that are too simple can be discovered by systematic trial-and-error. A distinction should be made here between simply trying out all possible character combinations up to a certain length (known as a brute force attack) and trying out every entry in a list of character combinations (a dictionary attack). The two approaches can also be combined.

Most operating systems store user names and passwords in a file or database (e.g. the passwd or shadow file in Unix or the RACF database in z/OS). However, many operating systems store at least the passwords using cryptographic mechanisms and not as plain text. If the file is not adequately protected against unauthorised access, then an attacker may be able to copy this file and then subject the file to a brute force attack with the help of a high-performance computer without having to worry about the total access time.

The time it takes to discover a password in a brute force attack depends on the following:

The time it takes to check a password depends heavily on the corresponding system and its processing and transmission speeds. When attacked, the method and technology used by the attacker also play a role.

However, the length and character composition of the password can be influenced by organisational specifications or even by technical safeguards.

Example:

© Federal Office for Information Security. All rights reserved.