In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities[1] often obtained from lists of past security breaches.[2]
Technique
A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack);[3] however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches.[4] There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful, since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password.
Pre-computed dictionary attack/Rainbow table attack
It is possible to achieve a time–space tradeoff by pre-computing a list of hashes of dictionary words and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but this allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but now they are less of an issue because of the low cost of disk storage. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary needs be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup-times. See LM hash for an example of an authentication system compromised by such an attack.
Pre-computed dictionary attacks, or "rainbow table attacks", can be thwarted by the use of salt, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible, provided that the number of possible salt values is large enough.[5]
Dictionary attack software
See also
- Brute-force attack
- E-mail address harvesting
- Intercontinental Dictionary Series, an online linguistic database
- Key derivation function
- Key stretching
- Password cracking
- Password strength
References
- ↑ Junghyun Nam; Juryon Paik; Hyun-kyu Kang; Ung Kim; Dongho Won (2009-03-01). "An off-line dictionary attack on a simple faire-part key exchange protocol". IEEE Communications Letters. 13 (3): 205–207. doi:10.1109/LCOMM.2009.081609. ISSN 1089-7798.
- ↑ "Oxford Languages and Google - English | Oxford Languages". languages.oup.com. Retrieved 2021-01-02.
- ↑ Jeff Atwood. "Dictionary Attacks 101".
- ↑ CrackStation's list. e.g., with over 1.4 billion words.
- ↑ "CAPEC - CAPEC-55: Rainbow Table Password Cracking (Version 3.5)". capec.mitre.org. Retrieved 2021-09-12.
External links
- RFC 2828 – Internet Security Glossary
- RFC 4949 – Internet Security Glossary, Version 2
- US Secret Service use a distributed dictionary attack on suspect's password protecting encryption keys
- Testing for Brute Force (OWASP-AT-004) Archived 2020-01-14 at the Wayback Machine