Multiple options are available for mitigating automated password guessing attacks and choosing the most appropriate one(s) requires understanding the trade-offs between security and usability of each. Regardless, the goal is to implement a set of controls to effectively prevent all types of password guessing attacks from being successful. The solution typically entails a combination of strong password requirements, accounts lockouts, throttling authentication attempts, logging, and multi-factor authentication (MFA).
Common Types of Password Attacks
Several types of password guessing attacks are common: brute-force, dictionary, combos, and social engineering. The spectrum ranges from trying as many passwords as possible without any information about the users to making only a few educated guesses.
- Brute-force password guessing attacks try every possible combination of valid characters in order to discover the password; but they tend to be very slow, especially for networked applications. Some variations of brute-force attacks take into account the probability of various characters being used in order to try the most likely passwords first instead of just going in alphabetical order. This has significant performance gains but these attacks still tend to be slower than the other types.
- Dictionary attacks rely on word lists of common passwords but don't factor in any information about the users - the word lists are the same for all users. Dictionary attacks tend to be the most practical overall. Password cracking programs include features for trying variations of dictionary words, such as appending and prepending numbers and punctuation marks, combining multiple words, substituting letters for numbers, and using capitalization throughout the words. Combo attacks are a relatively new variation of dictionary attacks that are made possible by the massive amounts of password leaks that have occurred the past several years.
- Combo attacks use so-called combos, which are pairings of usernames and known passwords from compromised web applications. The idea behind combo attacks is that many people use the same usernames and passwords for different applications, so it is reasonable to try known username and password combinations first to see if they are valid. This attack type is particularly popular among young new hackers and they actively trade combo lists online.
- Social engineering attacks use information about a specific user to make educated guesses of what the password might be. The information might include data collected from social networking sites, phishing attempts, shoulder-surfing and even trying to get the user to reveal their password, such as by pretending to be a system administrator that requires the password to perform maintenance.
Preventing Common Password Attacks
The most effective single control for preventing automated password guessing attacks from succeeding is Multi-Factor Authentication (MFA). When MFA is implemented correctly, it defeats password guessing by requiring some other way to authenticate in addition to a password – ensuring that those who can correctly guess a password cannot compromise the account. The primary drawbacks of MFA are psychological acceptability to the user and cost to implement. Some MFA methods, such as biometrics, can be expensive to implement, difficult to scale, and perceived as invasive by the users. Time-based token generators can be a low-cost and non-intrusive option, but the extra step to authenticate can still be a minor annoyance to users. Ultimately, for software where security is a real concern, MFA is strongly recommended.
Strong Password Requirements
Strong password requirements make passwords much more difficult to guess. Different authors have different recommendations for minimum password strength. The longer the password and the larger the character range included in it, the stronger the password. Length increases guessing difficulty more than using obscure characters. Avoiding dictionary words, combinations and variations of words makes passwords stronger. Not using the same passwords for multiple applications makes passwords stronger. The latter requirements are difficult to enforce in applications, but the former are pretty easy and are commonly implemented.
Account lockouts are a security control that is inherited from the days before MFA use became widespread. Account lockouts prevent authentication attempts for a period of time after a certain amount of failed authentication attempts. Account lockout functionality can cause account lockout denial-of-service conditions. In such conditions, a legitimate user cannot login because the account has been locked for security reasons. The attacker's goal might actually be to keep the user out of the system and not to actually guess the password. The attacker still needs to know the valid username. In practice, MFA is a much more effective and practical security control than account lockouts. When MFA is available, account lockouts are not recommended unless they are required for compliance.
Throttling Authentication Attempts
A common and practical control is throttling authentication attempts. There are several variations of authentication throttling: constant time throttling, increased period throttling, and CAPTCHA-based throttling. Constant time throttling adds a constant waiting period, usually of a few seconds, before announcing authentication results. Increased period throttling increments the waiting period after each failed authentication attempt. CAPTCHA-based throttling requires the user to solve a puzzle that is supposed to be difficult for bots for each authentication attempt.
Authentication throttling controls have the added benefit of preventing time-based username enumeration attempts when implemented correctly. If the time to process an invalid username is different from the time it takes to process a valid username, then that creates a possibility for enumerating valid usernames. This timing difference can be introduced by using strong iterative hashing algorithms for storing passwords. Throttling authentication attempts provides an opportunity to make the time to process valid and invalid usernames indistinguishable. To take full advantage of this, either add a random timer that takes longer than the password hashing process to the throttle period or add a constant timer to invalid user attempts that makes them takes as long as attempts for valid users. The random timer approach is easier to implement consistently.
Regardless of what other options are used, excessive authentication attempts should be logged. Care should be taken to throttle log entries to prevent log files from getting flooded - instead of generating a log entry for each failed attempt, try to count the failed attempts and generate one or a few entries that include aggregate amounts. Some applications notify the user about the failed authentication attempts - when a user logs in successfully, they are presented with a message that says how many failed attempts have taken place since the last successful login.
PCI-DSS ComplianceFor applications that have to be compliant with PCI DSS, the types of controls that need to be implemented is predetermined. The following PCI DSS requirements are relevant to preventing automated password guessing attacks:
- Requirement #8.1.6 forces locking the user account after not more than six failed attempts. Following this requirement introduces account lockout denial of service vulnerabilities - most likely it is a requirements that carried over from the earlier versions of PCI DSS.
- Requirement #8.1.7 states the lockout period should be at least 30 minutes or until administrator intervention.
- Requirement 8.2 mandates Multi-Factor Authentication, which makes account lockout redundant in Requirement 8.2.3 defines minimum password strength requirements.
- Requirement 10.2.4 requires logging invalid authentication attempts.