MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 265: BE WARY OF DICTIONARY ATTACKS

Reference Number ACG-CSB 091322265

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

     This type of Brute Force Attack involves systematically entering every word in a dictionary as a password to gain access to a password-protected computer, network, or other IT resource. A dictionary attack can also be used to try to discover the key required to decrypt an encrypted message or document.

     Dictionary attacks work because common words are used as passwords by many computer users and businesses. These attacks are typically unsuccessful against systems that use multi-word passwords, as well as passwords made up of random uppercase and lowercase letters and numbers.

     In systems with strict password restrictions, the brute-force attack, in which every conceivable combination of characters and spaces is examined up to a specific maximum length, can occasionally be successful. A brute-force attack, on the other hand, can take a long time to produce results.

     In a dictionary attack, potential passwords are deciphered using a pre-selected library of words and phrases. These lists contain common patterns that differ by region. Attackers incorporate words related to sports teams, monuments, cities, addresses, and other regionally specific items when building their attack library dictionaries.

     There must be a mechanism to log in because the front door is the simplest place to attack a system from. If you have the necessary login information, you can log in normally without creating any unusual log entries, triggering any IDS signatures, or necessitating an unpatched vulnerability. Life is significantly simpler if you possess the system administrator's login information. Here is an overview of how attackers use brute-force and dictionary assaults to get access because they lack both of these conveniences.

     Attackers frequently begin their attack by searching for a target's email address or domain in password dumps from a compromised website because they lack the credentials to log in legitimately. The password may still be effective if the target used it on a website that was later compromised. However, knowledgeable users will always use different passwords. The attacker must now choose between brute-force or dictionary attacks, two additional direct approaches.

RECOMMENDATION

            All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Dictionary attacks:

  • Set up multi-factor authentication where possible;
  • Use biometrics in lieu of passwords;
  • Limit the number of attempts allowed within a given period of time;
  • Force account resets after a certain number of failed attempts;
  • Rate-limit the speed of password acceptance to increase the time and resources needed for attackers to guess the password;
  • Include Captchas to prevent automated log-in attempts;
  • Ensure passwords are encrypted so they are less likely to be leaked; and
  • Restrict common words or passwords from being used. The NCSC publishes a list of common passwords that shouldn’t be allowed.

For additional information, please refer to the following websites:

  • https://www.rapid7.com/fundamentals/brute-force-and-dictionary-attacks/
  • https://www.csoonline.com/article/3568794/what-is-a-dictionary-attack-and-how-you-can-easily-stop-them.html
  • https://www.techtarget.com/searchsecurity/definition/dictionary-attack

POINT OF CONTACT

            Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.