The feature diversity of different web systems in page elements, submission contents and return information makes it difficult to detect weak password automatically. To solve this problem, multi-factor correlation detection method as integrated in the DBKER algorithm is proposed to achieve automatic detection of web weak passwords and universal passwords. It generates password dictionaries based on PCFG algorithm, proposes to judge blasting result via 4 steps with traditional static keyword features and dynamic page feature information. Then the blasting failure events are discriminated and the usernames are blasted based on response time. Thereafter the weak password dictionary is dynamically adjusted according to the hints provided by the response failure page. Based on the algorithm, this paper implements a detection system named WebCrack. Experimental results of two blasting tests on DedeCMS and Discuz! systems as well as a random backend test show that the proposed method can detect weak passwords and universal passwords of various web systems with an average accuracy rate of about 93.75%, providing security advisories for users' password settings with strong practicability.
翻译:页面元素、提交内容和返回信息中不同网络系统的特点多样性使得难以自动发现薄弱的密码。为了解决这个问题,提议采用DBKER算法中整合的多要素相关检测方法,以实现网络薄弱密码和通用密码的自动检测。它根据PCFG算法生成密码词典,建议通过传统静态关键词特征和动态页面特征信息的四个步骤来判断爆炸结果。然后爆炸故障事件会受到歧视,用户名会根据响应时间爆炸。此后,弱密码词典会根据响应失败页面提供的提示进行动态调整。根据算法,本文将安装一个名为WebCrack的检测系统。DedeCMS和Discuz系统两次爆炸测试的实验结果以及随机后端测试显示,拟议的方法可以检测各种网络系统的薄弱密码和通用密码,平均准确率约为93.75%,为用户密码设置提供可靠、实用的安全咨询。