[OWASP_PHPSEC] Dictionary Attack ?

Abbas Naderi abiusx at owasp.org
Sat Jun 1 07:10:45 UTC 2013


We could add that as a pluggable extension. It's huge and not wise to be enforced at any layer.
-Abbas
On ۱۱ خرداد ۱۳۹۲, at ۱۰:۲۹, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> what you said is what I have in mind....and what you said is currently what I am working on....but I am not able to understand this...currently the jFramwork has functions that can detect all kinds of pattern except the english words....
> 
> it cannot detect anything wrong if the password is "abridge" ...however dictionary attack can crack this very easily...
> 
> as you said I did blackbox testing in facebook passwords..They seem to store a list of all dictionary words...and they cross-check the password....if that password is present, they do no allow that password to be kept...
> 
> I was asking should we also have some mechanism...
> 
> 
> On Sat, Jun 1, 2013 at 1:52 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Well its not easy to detect that. Maybe the password is something that exists in common rainbow tables instead of dictionaries? We should thwart those too…
> We should fight the issue objectively, not subjectively. We are not gonna let it get ill, then try to fix it. We shall vaccinate it (by complexity and entropy and strength).
> -Abbas
> On ۱۱ خرداد ۱۳۹۲, at ۱۰:۰۹, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> no no...what I was asking is that if user enters some password that is found in dictionary, then to thwart that....like if I keep password "abridge" or "denounce" or "queen" or "rats"...something like this...
>> 
>> 
>> On Sat, Jun 1, 2013 at 1:23 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>> Yes,
>> more entropy and using more character sets in the password. Thats why we count them towards strength!
>> -A
>> On ۱۱ خرداد ۱۳۹۲, at ۷:۴۳, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>> > HI...I am still searching for this, but I thought it would be faster if I ask it here.
>> >
>> > Do you know any way to stop dictionary attacks. We can keep a list of dictionary words and see if user-supplied password matches any of them. But other than this, do you suggest anything?
>> >
>> > --
>> > Regards,
>> > Rahul Chaudhary
>> > Ph - 412-519-9634
>> > _______________________________________________
>> > OWASP_PHP_Security_Project mailing list
>> > OWASP_PHP_Security_Project at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130601/2ad6c271/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list