In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or millions of likely possibilities[1] often obtained from lists of past security breaches.[2]

Technique

A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack);[3] however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches.[4] There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful, since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password.

Pre-computed dictionary attack/Rainbow table attack

It is possible to achieve a time–space tradeoff by pre-computing a list of hashes of dictionary words and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but this allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but now they are less of an issue because of the low cost of disk storage. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary needs be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup-times. See LM hash for an example of an authentication system compromised by such an attack.

Pre-computed dictionary attacks, or "rainbow table attacks", can be thwarted by the use of salt, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible, provided that the number of possible salt values is large enough.[5]

Dictionary attack software

See also

References

  1. Junghyun Nam; Juryon Paik; Hyun-kyu Kang; Ung Kim; Dongho Won (2009-03-01). "An off-line dictionary attack on a simple faire-part key exchange protocol". IEEE Communications Letters. 13 (3): 205–207. doi:10.1109/LCOMM.2009.081609. ISSN 1089-7798.
  2. "Oxford Languages and Google - English | Oxford Languages". languages.oup.com. Retrieved 2021-01-02.
  3. Jeff Atwood. "Dictionary Attacks 101".
  4. CrackStation's list. e.g., with over 1.4 billion words.
  5. "CAPEC - CAPEC-55: Rainbow Table Password Cracking (Version 3.5)". capec.mitre.org. Retrieved 2021-09-12.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.