Online password attacks

Network services typically authenticate users using a combination of username and password. If the existence of a user is known or can be determined, an attacker can attempt to guess the corresponding password through repeated login attempts.

In contrast to offline attacks, verification is performed directly against the target service. Each attempt generates a real authentication request that must be processed by the service. The attacker is therefore fully bound to the characteristics and responses of the target system.

Process and Strategies

A typical online password attack follows a structured approach:

1. User Identification (Enumeration):
   First, a valid username is identified. This can be achieved through publicly available information, differences in system error messages (e.g., “user does not exist”), or targeted enumeration techniques.

2. Selecting an Attack Strategy:
   Depending on the target system and constraints, different approaches can be applied:

3. Dictionary Attack:
   Uses lists of commonly used or previously leaked passwords (e.g., rockyou.txt). This significantly reduces the search space and represents the most common approach in practice.

4. Brute-Force Attack:
   Systematic testing of all possible character combinations. Due to limited request rates, this is usually only feasible online for very short or restricted password spaces.

5. Password Spraying:
   A specialized technique where a single common password (e.g., Winter2024!) is tested against many different usernames. This helps avoid account lockout mechanisms, as only a small number of failed attempts is generated per account.

Tools and Practice

A commonly used tool for automating such attacks is Hydra. It enables systematic login attempts against various protocols such as SSH, FTP, RDP, or HTTP.

In practice, however, the tool itself is less important than the combination of valid usernames, suitable password lists, and a strategy adapted to the target system’s protection mechanisms. In penetration tests, this approach is used to evaluate the effectiveness of password policies as well as detection and protection mechanisms.

Limiting Factors and Defensive Measures

The effectiveness of online password attacks is significantly constrained by several factors:

• Technical Latency:
  Network delays limit the number of possible requests per second (typically only a few attempts per second compared to offline attacks).

• Rate Limiting and Tarpitting:
  Services restrict the number of requests or deliberately increase response times after repeated failures to slow down automated attacks.

• Account Lockout:
  Systems temporarily or permanently lock accounts after a defined number of failed login attempts.

• Multi-Factor Authentication (MFA):
  Even if the correct password is guessed, authentication fails without the second factor. This is one of the most effective protective measures.

Conclusion

Compared to offline scenarios, online password attacks are significantly less efficient and, due to their direct interaction with the target system, relatively easy to detect. Their success largely depends on the quality of the chosen passwords and the absence of effective protection mechanisms.

In penetration testing, they primarily serve as an indicator of weak credentials and insufficient implementation of basic security controls such as rate limiting or account lockout mechanisms.