From 83728c1df429f6a53f1532566fde42fdf67f2c2c Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Thu, 26 Mar 2026 14:50:07 +0100
Subject: Add brute force password guessing solution and project subject

---
 Brute force password guessing/notes.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Brute force password guessing/notes.md

(limited to 'Brute force password guessing/notes.md')

diff --git a/Brute force password guessing/notes.md b/Brute force password guessing/notes.md
new file mode 100644
index 0000000..a66c5dc
--- /dev/null
+++ b/Brute force password guessing/notes.md	
@@ -0,0 +1,14 @@
+1. Found an email in a hidden `<input>` tag in the **Recover Password** page: `webmaster@borntosec.com`
+1. Got a list of common passwords to test from [https://github.com/duyet/bruteforce-database/blob/master/38650-password-sktorrent.txt]()
+1. Made a script to brute force the login
+
+If you're getting false positives with the script use a smaller `BATCH_SIZE`.
+
+**How to protect against this?**
+
+[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy]()
+
+- 2FA
+- Strong password policy
+- Forbid password reuse
+- Password aging
-- 
cgit v1.2.3