Tuesday, July 05, 2005

Dictionary Attack on Ur hashed passwords

Whenever we store a hashed password in a file or in the database, then it may be possible for a intruder to get the password using a 'dictionary' attack.

Here's what the MSDN says:
Hashed passwords stored in a text file cannot be used to regenerate the original password, but they are potentially vulnerable to a dictionary attack. In this type of attack, the attacker, after gaining access to the password file, attempts to guess passwords by using software to iteratively hash all words in a large dictionary and compare the generated hashes to the stored hash. If you store hashed passwords by any storage mechanism, you should require your users to choose passwords that are not common words and that contain some numbers and nonalphanumeric characters to help prevent dictionary attacks.