In this article, we will cover dictionary attacks. What are dictionary attacks, how do they work, and when is it best to use them?
A dictionary attack is simple in theory. It is based on a simple assumption: users don’t want to or cannot memorize long, random sequences of characters, and therefore they pick existing words, typically from an existing language.
You can, therefore, take a dictionary or a word list and hash them. When the hash matches with the password you’re trying to break, you have found the password.
A typical dictionary attack scenario
In a typical dictionary attack scenario, you will have a list of words. Those words can be from the English language (you could literally use the Oxford Dictionary and try every word), or they can be a more nuanced and optimized list of passwords, as we will see in some examples later on. In a dictionary attack, you’ll be hashing every word.
So, this could take longer or shorter, depending on the number of words that you’re using.
Dictionary attacks are best for scenarios when you are dealing with passwords that are most likely single words or based on words.
Typically, you will use this type of attack if you know that you’ll be cracking longer words instead of random passwords. You can customize which words to use, add rules to them, and even modify words according to a pattern before hashing them.
For example, you can add numbers or replace characters with numbers and symbols that resemble the original letters — e.g. “p@s$w0rd” instead of “password”.
Yes, they could use password managers. We will see in a later section that these will not solve all your problems. However, users are able to memorize words, words with modifications, and so on.
Your customization also depends on your word list. If you have a word list, like rockyou.txt, that stores the most common passwords, this could be useful even for passwords that don’t exactly resemble one word with modifications. But most likely, you will not have random sequences in your word list.
Unless you explicitly create these for the list, you won’t be able to break these kinds of passwords. It is also difficult to deal with multi-word passwords if you do not use the coding rules. And even if you do, it takes more time to break them.
Dictionary attacks compared to brute force attacks
Let’s consider a quick comparison with brute force attacks to give you some context. Brute force attacks are best used for short, random passwords, while dictionary attacks are better tools to crack longer passwords based on real words or whatever words your dictionary has.
Dictionary attacks are a bit harder to set up than brute force attacks, but they are still not too hard.
JD SPORTS 2_PARMJEET KAUR.docx
ENGL 373 Disability and Film 2022 final .docx
“An attack in which cybercriminals utilize trial-and-error tactics to decode passwords, personal identification numbers (PINs), and other forms of login data by leveraging automated software to test large quantities of possible combinations.”
Dictionary attack definition:
“A type of brute force attack where an intruder attempts to crack a password-protected security system with a “dictionary list” of common words and phrases used by businesses and individuals.”
Both are common types of cybersecurity attacks in which an attacker tries to log in to a user’s account by systematically checking and attempting all possible passwords and passphrases until the correct one is found. These brute-force and dictionary attacks are common, due to large quantities of individuals reusing common password variations.
After all, the easiest way to attack a system is through the front door, and there must be some way to log in. If you have credentials, you can log in as a normal user would, likely without generating suspicious log entries, tripping IDS signatures, or needing an unpatched vulnerability. If you have the credentials for the system administrator, life is even easier. Attackers have neither of these luxuries; here’s an overview of how they utilize brute-force and dictionary attacks to gain access.
Attackers lack the necessary credentials to log in normally, so they’ll frequently start their attack by looking for a target's email address or domain in password dumps from a compromised website. If the target reused their password on a website that was later compromised, that password may still be valid. But savvy users (and hopefully sysadmins) will use unique passwords everywhere. So the attacker must now turn to one of two more direct attacks: dictionary attacks and brute-force attacks.
In a dictionary attack, the attacker utilizes a wordlist in the hopes that the user’s password is a commonly used word (or a password seen in previous sites). Dictionary attacks are optimal for passwords that are based on a simple word (e.g. 'cowboys' or 'longhorns'). Wordlists aren’t restricted to English words; they often also include common passwords (e.g. 'password,' 'letmein,' or 'iloveyou,' or '123456').But modern systems restrict their users from such simple passwords, requiring users to come up with strong passwords that would hopefully not be found in a wordlist.
To conduct a brute-force attack, an attacker may use a tool to attempt every combination of letters and numbers, expecting to eventually guess the password. If the attacker knows that an organization requires special characters in their password, the tool could be instructed to include letters, numbers, and symbols. Every password, no matter how strong, is vulnerable to this attack. However, this method is going to take a while (years, if the password is long enough).
The length of time required to crack a short password (such as a four-digit PIN) might be under a minute. Extending that to six characters could take an hour. Extending that to eight characters, with both letters and symbols, might take days. Note that each new character exponentially increases the amount of time necessary for a brute-force attack to discover the password. So a strong, lengthy password, could take weeks or months. But, with enough computing power and a particularly dedicated attacker, the password would eventually be discovered.
Best practices to defend against dictionary and brute-force attacks
Using a strong, uncommon password will make an attacker's job more difficult, but not impossible. Luckily there are more preventative measures that end users and system admin can take to prevent (or detect) these attack attempts:
Slow down repeated logins: This is the simplest countermeasure available. An end user is unlikely to notice a 0.1 second delay while logging in, but that delay would accumulate quickly for an attacker, especially if they cannot parallelize their attempts.
Force captchas after multiple failed logins: While a user could have simply forgotten which password they used for the account, this will help slow down an attacker significantly. This is a great deterrent method as for modern captchas are difficult to defeat with computers. Many captchas need manual inputs in order to be solved.
Lock accounts: Even better, a system can be configured to lock an account after a specified number of attempted logins. Many websites will trigger additional protections for accounts with repeated bad password attempts. In the extreme case, for example, an iPhone will self-destruct (wipe all data) after 10 tries.
Refresh passwords: Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, or maybe even every 30 days. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed. If the password changes during that time frame, the attacker will need to start over. However, as many users would confess, these strict password requirements can backfire, with users choosing weaker, sequential passwords ('longhorns2018,’ 'longhorns2019,’ and so on). An attacker would quickly try incrementing the password.
Monitor for anomalies: Finally, a security-conscious organization should be monitoring user accounts for anomalies, such as logins from unrecognized locations or devices, or repeated login failures. A staffed Security Operations Center (SOC)can detect these events in real time and quickly respond by locking down an account, blocking an IP address, contacting a user, and looking for further activity from this particular attacker.
Whaling Phishing Attacks