Focused On Your Success


The All.Net Security Database


Generated Fri Jun 27 09:58:50 PDT 2003 by fc@red.a.net

Cause/Mechanism:
  • Threat Profiles
  • Attack Methods
  • Defense Methods
    Process:
  • Prevention
  • Detection
  • Reaction
    Impact:
  • Integrity
  • Availability
  • Confidential
  • Use Control
  • Other:
  • Risk Management
  • Database Description

    Domain:
  • Physical
  • Informational
  • Systemic
    Sophistication:
  • Theoretical
  • Demonstrated
  • Widespread
  • Perspectives:
  • Management
  • Policy
  • Standards
  • Procedures
  • Documentation
  • Audit
  • Testing
  • Technical Safeguards
  • Personnel
  • Incident Handling
  • Legal
  • Physical
  • Awareness
  • Training
  • Education
  • Organization
  • Brekne's Mechanistic:
  • Input
  • Output
  • Storage
  • Processing
  • Transmission
  • Brekne's Causal:
  • Accidental
  • Malicious
  • Brekne's Method:
  • Leakage
  • Masquerade
  • Denial
  • Corruption
  • Usage
  • Mental

  • Attack32:

    Name:password guessing

    Complexity: Password guessing has been analyzed in painstaking detail by many researchers. In general, the problem is as hard as guessing a string from a language chosen by an imperfect random number generator. [Cohen85] The complexity of attack depends on the statistical properties of the generator. For most human languages there are about 1.2 bits of information per symbol, [Shannon49] so for an 8-symbol password we would expect about 9.8 bits of information and thus an average of about 500 guesses before success. Similarly, at 2 attempts per user name (many systems use thresholds of 3 bad guesses before reporting ana anomaly) we would expect entry once every 250 users. For 8-symbol passwords chosen uniformly and at random from an alphabet of 100 symbols, 5 quadrillion guesses would be required on average.
    fc@red.a.net

    Related Database Material

    [TBVStorage - Relates to Storage]
    [TBVMalicious - Relates to Malicious]
    [TBVUsage - Relates to Usage]
    [PDRConfidentiality - Relates to Confidentiality]
    [PDRUse - Relates to Use]
    [PDRWidespread - Relates to Widespread]
    [PLSLogical - Relates to Logical]
    [Threat1 - insiders]
    [Threat2 - private investigators]
    [Threat3 - reporters]
    [Threat4 - consultants]
    [Threat5 - vendors]
    [Threat6 - customers]
    [Threat8 - competitors]
    [Threat10 - hackers]
    [Threat11 - crackers]
    [Threat12 - club initiates]
    [Threat13 - cyber-gangs]
    [Threat14 - tiger teams]
    [Threat20 - crackers for hire]
    [Threat25 - industrial espionage experts]
    [Threat27 - police]
    [Threat28 - government agencies]
    [Threat30 - economic rivals]
    [Threat31 - nation states]
    [Threat32 - global coalitions]
    [Threat33 - military organizations]
    [Threat35 - information warriors]
    [Threat36 - extortionists]
    [Defense54 - accountability]
    [Defense135 - alarms]
    [Defense30 - audit analysis]
    [Defense29 - auditing]
    [Defense47 - authorization limitation]
    [Defense46 - biometrics]
    [Defense33 - capture and punishment]
    [Defense99 - deceptions]
    [Defense72 - detailed audit]
    [Defense13 - detection before failure]
    [Defense50 - dynamic password change control]
    [Defense7 - effective mandatory access control]
    [Defense6 - feeding false information]
    [Defense44 - hard-to-guess passwords]
    [Defense14 - human intervention after detection]
    [Defense53 - known-attack scanning]
    [Defense37 - least privilege]
    [Defense59 - lockouts]
    [Defense107 - minimizing copies of sensitive information]
    [Defense31 - misuse detection]
    [Defense98 - perception management]
    [Defense15 - physical security]
    [Defense70 - quad-tri-multi-angulation]
    [Defense26 - rerouting attacks]
    [Defense4 - sensors]
    [Defense125 - time, location, function, and other similar access limitations]
    [Defense106 - tracking, correlation, and analysis of incident reporting and response information]