CAPEC-16: Dictionary-based Password Attack
ID
CAPEC-16
Typical Severity
High
Likelihood Of Attack
Medium
Status
Draft
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-262 | Not Using Password Aging | weakness |
| CWE-263 | Password Aging with Long Expiration | weakness |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | weakness |
| CWE-308 | Use of Single-factor Authentication | weakness |
| CWE-309 | Use of Password System for Primary Authentication | weakness |
| CWE-521 | Weak Password Requirements | weakness |
| CWE-654 | Reliance on a Single Factor in a Security Decision | weakness |