Dictionary Attack

Dictionary Attack

Of course, one Administrator can build the best protections to avoid intrusion on your system, but if your users use always the same predictable passwords there’s no way out.


According to a Keeper Security study, here is a list of the most common passwords ever produced consciously by users:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111
  • 1234567890
  • 1234567
  • password
  • 123123
  • 987654321
  • qwertyuiop
  • mynoob
  • 123321
  • 666666
  • 7777777
  • 1q2w3e4r
  • 654321
  • 555555
  • google
  • 1q2w3e4r5t
  • 123qwe
  • zxcvbnm
  • 1q2w3e

But there’s more. If a user uses a “single word” included in any languages’ vocabulary, his password can be easily detected using the Dictionary attack.

It could be implemented thanks to a script that progressively tries all the words of all languages’ vocabulary. An approximate number of all words known in the world is 5,000,000 considering Chinese and Italian languages. But the list of most common words is lighter: it consists in a dictionary of 60-100,000 words.

How much time does a script take to test all of them to penetrate your system? Minutes.


It’s an easy but effective technique.
In order to protect your system against this kind of attack you should force users to have at least a number, a special character or an uppercase letter in their password.
A preventive test could be done here: Password Checker.

Thanks to a user of ours: Emma Roberts, we would like to suggest a Free Password Generator Tool:  VPNMentor’s Secure Password Generatorplease find which fits you best!

Contact us

Feel free to contact us for commercial or technical questions

    Brute Force Attack


    Brute Force Attack

    Brute-force Attack

    What is actually a Brute-force Attack, and how can i protect my CRM system against it?

    A Brute-force attack is the most simple way to try to access in a system without being authorized; but it’s effective. With this technique, an attacker has the mathematical certainty to find a way to go inside.


    A Brute-force attack satisfies the following characteristics:

    • guess every possible password;
    • time to break the system depends on the length and complexity of the password choosen;
    • usually ine system could be considered safe if it forces users to adopt  long and complicated passwords.

    How it works

    A Brute-force attack consists of an enormous continued repetition of attempts to find the right combination of user names and passwords.
    It’s usually conducted by bots, automatic programs that replicates human enterings.

    Like in every battle, there are some factors that could help the attacker while others help the defender; let’s focus on the first ones in order to strengthen the protections:

    Admin user

    If the Crm Administrator uses “admin” as its username, half of the attacker’s job is already done, because it has only to try all the combinations of passwords with any length and any carachter.


    If your CRM system location is predictable, like:

    • crm.yourcompanyname.com
    • www.yourcompanyname.com/crm

    then the attacker knows where to intervene and how to set its automatic bots.

    In case the attacker is an old workmate or a former employee, the CRM URL is obviously known. It’s “overkill” to change URL:  think of the disorder that would be caused to the colleagues that should save the new link in their browsers or Apps.

    But don’t worry; there are easier solutions.

    Protection in Passwords

    One classical way to protect your system is to oblige your employees to use a strong password. You can easily set the password requirements in the Password Management panel in the admin page: https://support.sugarcrm.com/Documentation/Sugar_Versions/6.5/Ent/Administration_Guide/Password_Management/index.html

    Please note that some of the settings showed in the previsious link are related to SugarCrm paid versions. You can always achieve that with custom development.

    Think different

    Instead of wasting precious energy, fighting against potential threats and trusting the procedures to ensure that employees adopt strong passwords and\or renew them often, you can introduce an automatic barrier that bans any potential intruder as soon as you exceed the maximum number of allowed attempts.

    With a solution like CRM Defender there will be no way to hijack your system, because the Web Server itself, duly instructed by CRM Defender, will block intruders.

    Contact us

    Feel free to contact us for commercial or technical questions

      Data Protection

      Data Protection

      In an increasingly connected world, where competitiveness is the dominant value, Data protection plays a crucial role. First of all it’s a must to keep a way to have back your data in case of emergency.

      One of the key challenge for a Small Medium Business is to keep its own data as much safe as possible. And reducing the amount to invest in defense.

      For a startup business the first target to reach is to survive but after reaching this out, it’s important to start thinking about the potential losses caused by a breach in the system.

      Contact us

      Feel free to contact us for commercial or technical questions

        CRM Security

        CRM Security

        Your CRM Data are vital for your business. To protect them is an obvious priority. No mather if your CRM runs on Premise or on a Cloud service: if someone tries to force your passwords, and you don’t take any countermeasure, soon or later, your CRM Data will at the mercy of the attacker.
        But if you act properly there’s nothing to worry about.

        The first thing in order to achieve that is to enforce users to use strong passwords or to generate them using autocreation tools.
        You can also ask to your IT manager to ban some IP addresses from where suspicious attempts come. This require that you or your workmate keep an eye on potentially fraudulent login attempts tracking such behavior on your Server or on your Local Net proxy.
        If you are on a hosted environment, you can use a tool like cPanel > IP Address Deny Manager:

        This obviously requires that you are aware of which is the IP of the attacker, or its IP range. So it could take time to prevent further intrusions. Best choice is always to automate this flow; this will let your system protected even if the “IT Manager is on holydays”.

        Another difficult task you can experience, if your system is accessed from a large set of IPs, potentially from different country, is to check for failed login attempts.  To do so, one would need to check directly on the CRM log. But there is another problem: SugarCRM itself doesn’t allow you to know from where a suspicious attempt came.

        I.e. a failed attempt on “admin” user would add on sugarcrm.log two rows like:

        Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] SECURITY: User authentication for admin failed
        Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] FAILED LOGIN:attempts[1] - admin

        that is simply ineffective.

        Contact us

        Feel free to contact us for commercial or technical questions

          Copyright All Rights Reserved 2021 CRM Defender - Lion Solution Srls