Jump to content

Most effective username:password ratio for mass bruteforcing?


Recommended Posts

Let's say the end goal of an attack is just to get a maximum amount of random working logins for a given website.
You have a list of usernames (1 million for example),
What would be the most effect username to password ration to use for the attack - given you have 1 week to complete it?

A: Use 100 usernames with a huge password list of 1 million passwords
B: Roughly same amount of usernames and passwords
C: Use all 1 million usernames, testing each with only 100 most commonly used passwords?

Out of experience, which do you think would be the most effective?

Link to comment
Share on other sites

The first step would be more recon on the target.  If you could find there method for assigning usernames then the list can be reduced to allow for more password utilization.

Another very useful piece of info is if they have password requirements.  This could really help define things like length, characters used, etc.

If you are going in completely "blind" then you are leaving the best answer more to chance.  I'm sure some users experience will have a more likely answer to this question but it can be situational as well.

Another way to maximize things would be use of rainbow tables / databases but there is a memory trade off doing this. 

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...