WebCrack: Dynamic Dictionary Adjustment for Web Weak Password Detection based on Blasting Response Event Discrimination

The feature diversity of different web systems in page elements, submission contents and return information makes it difficult to detect weak password automatically. To solve this problem, multi-factor correlation detection method as integrated in the DBKER algorithm is proposed to achieve automatic detection of web weak passwords and universal passwords. It generates password dictionaries based on PCFG algorithm, proposes to judge blasting result via 4 steps with traditional static keyword features and dynamic page feature information. Then the blasting failure events are discriminated and the usernames are blasted based on response time. Thereafter the weak password dictionary is dynamically adjusted according to the hints provided by the response failure page. Based on the algorithm, this paper implements a detection system named WebCrack. Experimental results of two blasting tests on DedeCMS and Discuz! systems as well as a random backend test show that the proposed method can detect weak passwords and universal passwords of various web systems with an average accuracy rate of about 93.75%, providing security advisories for users' password settings with strong practicability.
Comment: 22 pages, 6 figures, 4 tables