Most web application users do not follow the recommendations for using difficult, non-dictionary access data. They often base their passwords on words and phrases they easily won't forget. These words are children's names, street addresses, favorite football team, place of birth, etc.User accounts – Especially administrative accounts should be protected with hard-to-guess access data.
To test whether access data is not too easy to guess, you can use the hydra tool together with a specially prepared list of the most popular access passwords e.g. rockyou.txt. Hydra is a tool that, in a balanced manner, supports several threads at the same time, automatically attempts to log on to network resources. Supports many protocols such as Cisco AAA, Cisco auth, Ciscoenable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST. In its operation it is very fast and flexible. It allows you to set a query period to avoid blocking. You can also add new modules. On Ubuntu, you can install it from the synaptic package manager. On Kali Linux, it is already available by default.
The figure below shows the use of the hydra tool against an application that uses easy access data.
Figure. An example of using the hydra tool against the application being tested. Source: [Own study]
