About XYPRO Company Logo

How to Resist a Dictionary Attack:

October 7, 2009 • Data Protection

Password Quality is Key
If you’re a security or network administrator, then you probably already know that withstanding a dictionary attack is a common security requirement. For those who may not know, a dictionary attack refers to the general technique of trying to guess some secret, usually a password, by running through a list of likely possibilities, often a list of words from a dictionary.
So, what type of password can resist a dictionary attack?  Well, one that is not a word that can be found in any dictionary, of course!   Simply put, the best defense against a dictionary attack is a strong password composed of a combination of different types of characters.
Password Quality is Key!

Password quality is so critical that it is a PCI compliance requirement. Further, password quality plays a key role in resisting even a brute force attack because password cracking programs, used for such attacks, work by applying all the common variations of every word in the dictionary.  They generate character sequences working through all possible one-character passwords, then two character, then three character, etc.  The variations of words are encrypted and then the resulting hashes are compared to the hashes in the password file being cracked.  If the hashes match, the password is known.

Our Solution

XYPRO’s Password Quality (XPQ) software has helped numerous users effectively resist a dictionary attack.  XPQ provides a wide range of password strengthening techniques, forcing users to create passwords that are able to withstand a dictionary attack. XPQ can be configured to require the following of users when creating or changing their passwords:

•    Include both upper and lower case characters
•    Include special characters in the password
•    Include control characters in the password
•    Include letters and numbers in the password
•    Do not include any part of the user’s logon ID in the password
•    Use password length of up to 64-characters long

What’s more, the rules can be mixed and matched to meet any site’s password quality requirements.  Along with a minimum password length, periodic password expiration, and password history tracking, passwords created with XPQ-enforced rules would be virtually unbreakable via a dictionary attack.

In addition to enforcing Password Quality rules, XPQ offers yet another approach to withstanding a dictionary attack – generated passwords.  If XPQ is configured to take advantage of this function, the generated passwords always match your configured quality rules and, therefore, are not vulnerable to a dictionary attack.  Because many dictionary attacks target privileged userids such as SUPER.SUPER or the application owners, companies could establish a policy of always using generated passwords for their privileged userids.

The Proof is in the Numbers
The table below shows the amount of time* a successful brute force attack takes, depending on the combination of characters used in the password.


*The numbers should not be interpreted as actual time.  The speed of the attack depends on multiple factors including computing resources, password encryption level, etc.  However the table is a good illustration of how important enforcing password quality rules is for brute force attack resistance. Source for statistics and calculations:  http://geodsoft.com/howto/password/cracking_passwords.htm

As the table shows, cracking a “simple” seven-character password would take 22.3 hours, while the same seven-character password composed of mixed case characters extends the attack time to 3.91 months. Adding numbers and symbols to the password, extends the time needed to process all possible combinations to more than two years.  So, if a password is also changed regularly, this can mean an extended state of security against an attack.

Bottom line: Don’t let your system and critical data be left vulnerable to attack due to easily decoded passwords. Maximize XPQ to keep your passwords up to par!
Want to learn more? Visit us at www.xypro.com