2

I have been reading quite a bit about brute force attacks and I am wondering whether the passwords that are used in such attacks should be kept around so as to later prevent my users from having those passwords, since those brute force systems checked with those passwords, I would imagine that they could try again with the same set of passwords against other accounts and thus not having such passwords used anywhere on my systems would probably be a good idea...

Of course, over time I could end up blacklisting a very large number of otherwise really good passwords. So my question about brute force password checking over the Internet would be:

Has anyone made some collection of the passwords used by such brute force attempts? And if such collections exist, what are the stats on reuse/retest of a certain set of passwords? (i.e. are those robots always re-using the same set of passwords? Are these always checking with completely different passwords?)

Alexis Wilke
  • 862
  • 5
  • 19
  • 1
    Ask google for "password dictionary txt". – smrt28 Jan 13 '16 at 08:12
  • I have such, some 2 million passwords. Are brute force attacks online generally just using those? – Alexis Wilke Jan 13 '16 at 08:26
  • If brute-force means the records in my server access logs, then yes. They definitely use such dictionary. More likely something shorter then 2M. Probably a short subset of the most common user:passwords twins. I believe google also finds them for you. – smrt28 Jan 13 '16 at 08:35

2 Answers2

1

As I understand it, brute force attacks come in a few flavors:

  • True brute force, starting at A, moving to B, and so on until you get a hit.
  • Dictionary attacks, working through all known words.
  • Targeted attacks, working from your own password list (made from leaked passwords, and transformations upon them).
  • Targeted attacks using the personal information of the target.
  • A combination of the above.

1 and 2 you can defend against, but there aren't any specific lists. Keep people away from whole words, and increase complexity, and you can do something.

For 3, you've got a password list, banning all entries on the list may not be the best move, but you can take the most frequent offenders.

For 4, there's not an easy programmatic solution. It's a people problem not a technical one.

Jozef Woods
  • 1,247
  • 8
  • 7
  • Note that I was not asking how valuable (or not) checking passwords that should not be used, but rather about whether we have lists of passwords such brute forces are using. So that way we could know whether these passwords are included in our directories or not. Whether they look random or not. – Alexis Wilke Jan 13 '16 at 10:47
  • 2
    And my point was that it depends on the attack. A pure brute force contains all possible passwords (theoretically), and everyone has access to a dictionary. What you're looking for (as has been stated before) are the password lists made from leaks. – Jozef Woods Jan 13 '16 at 10:51
0

There's a lot of excellent lists available. Do a google search for 'seclists', also take a look at this github for some recent ones https://github.com/danielmiessler/SecLists Nmap comes with a good, constantly updated password list, but it is not as comprehensive. Another excellent source is the 'dumpmon' twitter feed, and, going back to basics, if you're on Linux, run 'locate dictionary' to see the dictionaries available on your system.

16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20
  • Note that my question is not about finding existing lists or dictionaries that I could use to prevent such attacks. But rather whether some lists built from actual such attempts exists and if they do, what passwords are being checked by such. – Alexis Wilke Jan 13 '16 at 10:43
  • 1
    Yes. They are actual lists of users passwords that have been captured in breaches and are passwords that are to be avoided. – 16b7195abb140a3929bbc322d1c6f1 Jan 13 '16 at 10:45
  • Fyodor, the creator of nmap has a good video from one of the defcon conferences where he discusses how the nmap list is created for the brute modules. – 16b7195abb140a3929bbc322d1c6f1 Jan 13 '16 at 10:46