Testing user base by performing scheduled dictionary attacks

Question

For my new website, written in PHP, I intent to regularly test the vulnerability of my users' passwords. My main concern is whether a brute force attack can be used (e.g. a dictionary attack).

My current design is to use a security script that performs a dictionary attack on a number of users. After the script has established that the password can be hacked, I want to send a mail to the user that we strongly advice them to improve the password. The mailing, scripting etc part is easy. However, can someone give me pointers how to implement this dictionary "attack"?

I really appreciate any help you can provide.

EDIT: The bit I'm actually interested in, is when the "hacker" tries to get entry to the website via the normal login form.

My current countermeasures already are: In the current db all passwords are encrypted with BCrypt, I use prepared statements to prevent SQL injection, a temporary lock-out (5 minutes) when one IP adres has tried too many times, and try to prevent XSS.

However, I still want to warn a user when I deem his password not safe, without just shutting him out, the choice is still up to him if he wants to continue with this password.

Answer 1

While it is vital that you first protect your site from brute force attacks(lockout) a dictionary test is actually quite good and can assist users by informing them they are using weak passwords.

Another argument that can occur is to not allow user signups with weak passwords. If you choose this method then I am of the ilk that you are doing yourself and the internet as a whole a favor. The standard user would argue against this though and there is the potential loss of users/customers.

Depressingly most will ignore it, but some will listen. Anyhoo. Down to code :)

So firstly build your password list, it does not take a genius to google for one. We will pretend that list.txt is your password list.

Edited: Implemented various rules to generate passwords from passed string so that even if we only have a relatively weak password list we can return multiple versions of it.

$users = array(); // Fill it via any means you want, we will 
                  // pretend its an array of username + password

foreach($users as $user) {
    // We are going to loop through each line in the list and 
    // then check it against the password
    while($line = fread('list.txt')) {
        $hashes = $this->hashPassword($line);
        foreach($hashes as $hash) {
            if($user['password'] == $hashedPassword) { 
                echo $user['username'] . ' has a weak password of ' . $line . '<br>';
            }
        }
    }
}

function hashPassword($password) {
    $simple = hash('sha256', $password);
    $numberReplace = hash('sha256', str_replace(array("o", "i", a"), array(0, 1, 4), $password)); 
    $stupidUserPassword = hash('sha256', ucfirst($password) . "1");

    return array($simple, $numberReplace, $stupidUserPassword);
}

This is but one example so look at some other answers too which might be helpful. Any questions feel free to ask.

Edit 1: Awesome commentor spotted a flaw in my logic, tbh it was a fairly horrible flaw - cheers.

Edit 2: Google rainbow tables and how to generate for your particular needs. Pre-hashed lists that would speed up this execution if you are really hardcore about it :)

Answer 2

In it's most simple form you could compare the plain text password (which you have only at the time of user registration) against every line in a dictionary. I think that approach is simple enough that a code example is not needed.

However the fact that you're concerned about this suggests that you may be implementing your hashes incorrectly.

You should be generating a unique salt for each hash, and using that as a prefix to the password. This salt adds strength to passwords which would otherwise be weak, and therefore means a dictionary search is pointless.

The consequence of adding salt means any attacker can only attack a single password at a time, (and needs to know the unique salt). It basically defeats a brute force attack where the attacker does not know the salt. And radically slows down an attack where the attacker does know the salt