[OWASP_PHPSEC] Dictionary Attack ?

rahul chaudhary rahul300chaudhary400 at gmail.com
Sat Jun 1 05:59:01 UTC 2013


what you said is what I have in mind....and what you said is currently what
I am working on....but I am not able to understand this...currently the
jFramwork has functions that can detect all kinds of pattern except the
english words....

it cannot detect anything wrong if the password is "abridge" ...however
dictionary attack can crack this very easily...

as you said I did blackbox testing in facebook passwords..They seem to
store a list of all dictionary words...and they cross-check the
password....if that password is present, they do no allow that password to
be kept...

I was asking should we also have some mechanism...


On Sat, Jun 1, 2013 at 1:52 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Well its not easy to detect that. Maybe the password is something that
> exists in common rainbow tables instead of dictionaries? We should thwart
> those too…
> We should fight the issue objectively, not subjectively. We are not gonna
> let it get ill, then try to fix it. We shall vaccinate it (by complexity
> and entropy and strength).
> -Abbas
> On ۱۱ خرداد ۱۳۹۲, at ۱۰:۰۹, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> no no...what I was asking is that if user enters some password that is
> found in dictionary, then to thwart that....like if I keep password
> "abridge" or "denounce" or "queen" or "rats"...something like this...
>
>
> On Sat, Jun 1, 2013 at 1:23 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Yes,
>> more entropy and using more character sets in the password. Thats why we
>> count them towards strength!
>> -A
>> On ۱۱ خرداد ۱۳۹۲, at ۷:۴۳, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> > HI...I am still searching for this, but I thought it would be faster if
>> I ask it here.
>> >
>> > Do you know any way to stop dictionary attacks. We can keep a list of
>> dictionary words and see if user-supplied password matches any of them. But
>> other than this, do you suggest anything?
>> >
>> > --
>> > Regards,
>> > Rahul Chaudhary
>> > Ph - 412-519-9634
>> > _______________________________________________
>> > OWASP_PHP_Security_Project mailing list
>> > OWASP_PHP_Security_Project at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130601/956028f1/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list