Defending Against Password Attacks


Let’s face it; MAC filtering is not an effective way to combat brute force attacks against pre-shared keys. On my Access Point (AP) at home, in other words my home router, I use MAC filtering not as a security mechanism but rather as a way to assign a private IPs to a specific device’s MAC address using a method called “IP Reservation” with DHCP. This basically ensures the IP is reserved and ready for use on that particular device the next time it connects to the network. With that said, defeating MAC filtering in regards to cracking pre-shared keys is very doable. MACs can be masqueraded “spoofed” very easily, such as, capturing an end-user’s MAC address using a passive network scanner. The attacker could use the spoofed MAC address to connect to the end user’s AP. This is done by fooling the AP into believing it’s actually connected to the end-user, when in reality, it’s connected to the attacker and the AP wouldn’t even know the difference, thus, allowing communications to proceed and the breach to successfully complete.

Since the attacker cannot connect to the AP using the spoofed MAC address while the end user is still using it, the end user needs to be disconnected from the AP. All the attacker has to do is inject a deauthentication packet into data stream of both the AP and the end user’s device. At this point, the attacker has a small window of opportunity to connect using the spoofed end user’s MAC address before the end-user’s device reconnects, which typically occurs within seconds. This all happens relatively fast so the attacker has one shot to get it right.

Injecting deauthentication packets into a breached data network could alert the end-user to a dropped connection and may also trip an Intrusion Detection System alerting the network administrator to the intruder’s presence. A more stealthy way to do this is to wait for the connection to drop gracefully, at the will of the end user, and then connect using the spoofed MAC address before the end-user reconnects. This could take some time since the attacker has to wait for the end-user to basically shutdown their computer or disconnect from the network.


Three most common password attack vectors

Brute-Force attacks are extremely CPU / GPU intensive that require the use of relatively expensive hardware to accomplish. The amount of time needed to crack an encrypted “hashed” password is directly proportional to the amount of computing power used to do so.


CPU/GPU Cycles = Complexity of Password

Many attackers have overcome these obstacles through the use of cloud based computing services such as IaaS. These types of services allow attackers to use preexisting infrastructure to merge together many CPUs, in effect, assembling a mini supercomputer for pennies on the dollar. Cloud based services provide the attacker with all the computing power needed to launch massive attacks. Criminals have become savvy in their methods used to overcome computer networking defenses. They are finding innovative ways to use technology to steal our private data and identities.

Keyloggers basically come in two forms, software based or hardware based. Software based keyloggers are distributed by attackers mostly through phishing emails otherwise known as SPAM. If an unsuspecting user clicks on that nefarious email, the potential for a keylogger to be installed to the end-user’s computer, unbeknownst to the user in the background, is almost a guarantee. Hardware based keyloggers must be physically placed in-line with a USB connected keyboard. This method is more difficult because it requires physical access to the user’s computer. On the other hand, Bluetooth keyloggers do not require physical access because they can detect the user’s keystrokes from up to 30 feet away, including through walls. So users with Bluetooth keyboards beware. Users need to be proactive in protecting their data by shutting all the back doors used by attackers to steal information and this is best achieved through educating users on how to defend themselves. We all benefit in the end.

The most effective way to combat brute-force attacks is to use strong passwords, avoid using default usernames, and use carefully worded authentication failure messages. For instance, it’s not a good idea to use “User ID not found” and “Incorrect password” separately. These are indications for an attacker to know if they are on the right track or not. A much better practice is to use “Incorrect username or password” when a login attempt fails. This makes it much harder for the attacker for obvious reasons.


The benefits of strong passwords is very evident as seen here.

It’s also a good idea to use “Incremental Delays” during failed  authentications as opposed to automatic 2 or 3 or whatever minute wait. Non-incremental delays kick open the doors to other attacks such as denial of service and should be avoided if at all possible.

A better method is to incrementally increase the login delay with each failed login attempt. For instance, 1 failed attempt = 1 minute, 2 attempts = 2 minutes, etc. This method will exponentially increase the time it takes a brute-force attack to be successful. So what used to take 3 hours now could take 3 weeks, months, or even years! This effort is definitely worth the time it takes to implement. Savvy computer users could also  monitor  their Wi-Fi connections using a passive network analyzer, like Wireshark, then looking for any signs De-authentication packets.


Users should avoid using words found in the dictionary as passwords!

There are large number of password managers that can make creating and storing long complicated usernames & passwords easier. I use Apple Keychain on all my Apple devices and it works perfectly fine. ICloud Keychain uses 256-bit AES encryption to store and transmit usernames, passwords, and credit card info. It also uses elliptic curve asymmetric cryptography and key wrapping.

I also implement “two factor authentication” on all my online accounts and use strong passwords. With two factor authentication, users receive an SMS message or text containing a 4 to 6 digit security code, which can be sent to any phone number they designate, that must be entered at the website before being granted access. This emboldens the end user’s security posture and provides peace of mind. Apple keychain also suggests complex user passwords, typically 12 characters in length, during the creation phase, which users can override with their own custom password if they choose to do so making it a relatively painless process while ensuring maximum security. This added convenience takes the pressure off of the user to come up with complex passwords and is also a time saver.

Link to the best password managers for windows machines:,2817,2407168,00.asp


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s