Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography




Security Terminology

Password Attacks


WinSCP and Putty



Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



Authentication and access control attacks



Common attacks against access control are dictionary attacks, brute force attacks and spoofed logon screens.

Dictionary attacks

These are programs with built in dictionaries. They would use all dictionary words to attempt and find the correct password, in the hope that a user would have used a standard dictionary word.

Brute force

This type of attack is attempting to break the password by trying all possible words, in the alphabet. You can set the software to start from 2 combination letter and keep keep going to 3 combinations, and then 4 and so on. The program would attempt all possible combinations including special keywords. However after 6 or 7 combinations it can take a long time to exhaust all keyword. In fact it is not worth attempting beyond an 8 letter combination as most computers will take a very long time exhausting all possibilities, we are talking weeks, months and years depending on the number of letters and the processing power of the computer.

Spoofed logon screens

The last access control attack is to implement a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker.

Prevention against authentication and access control attacks

To circumvent these type of attacks, passwords should be long, complex and changed every so often. If the password is used many times a day and protects important information, then it should be changed more often. There should be a strong password policy in place to enforce this, as well as enforcing other measures such as locking users out after so many logon attempts, etc. To circumvent against spoofed logon screens, this can be almost unavoidable if the fake logon screen has already been installed on a computer. The prevention for this attack is to have secure endpoints, where these fake logon screens can not be implemented.

Further Reading

Wikipedia's guide to Authentication

For further reading, there's some excellent electronic ebooks available for download from eBooks.com