Of course, a password is only half of the required login credential. A username is
also required. While it is less likely that a dictionary word would be used as a
username, there are still some common usernames that hackers are certain to try
with a brute force attack. First among these are “admin” and “administrator”. These
names are especially dangerous since they are not only easily guessed, but the
accounts they represent are usually highly privileged administrative accounts. If the
hacker’s dictionary attack could gain access to an administrative account, he could
probably do much more damage to the system than he could if he gained access to
a regular user’s account.
Administrative accounts are not the only problem: many Web applications and
Web application frameworks create default users during installation. If the site
administrator does not remove these default users or at least change their
passwords, these accounts will be easy targets for a dictionary attack. Finally,
when users are allowed to choose their own usernames, they often choose their
email address, since it is easy to remember. Once again, the user’s laziness is a
benefit to a hacker using a brute force attack. Armed with a list of email
addresses (perhaps obtained from a spammer) and a dictionary of passwords
(easily obtained anywhere), an attacker has an excellent chance of breaking into
at least one user’s account.
also required. While it is less likely that a dictionary word would be used as a
username, there are still some common usernames that hackers are certain to try
with a brute force attack. First among these are “admin” and “administrator”. These
names are especially dangerous since they are not only easily guessed, but the
accounts they represent are usually highly privileged administrative accounts. If the
hacker’s dictionary attack could gain access to an administrative account, he could
probably do much more damage to the system than he could if he gained access to
a regular user’s account.
Administrative accounts are not the only problem: many Web applications and
Web application frameworks create default users during installation. If the site
administrator does not remove these default users or at least change their
passwords, these accounts will be easy targets for a dictionary attack. Finally,
when users are allowed to choose their own usernames, they often choose their
email address, since it is easy to remember. Once again, the user’s laziness is a
benefit to a hacker using a brute force attack. Armed with a list of email
addresses (perhaps obtained from a spammer) and a dictionary of passwords
(easily obtained anywhere), an attacker has an excellent chance of breaking into
at least one user’s account.
No comments:
Post a Comment