Dictionary attacks threaten the security of your networks and platforms. They try to compromise a user account by creating a matching password. Learn how they work and how to beat them.
User accounts on computer systems, websites and hosting services must be protected from unauthorized access. User authentication is the most common way to do this. Users receive a unique user ID ̵1; for online accounts this is usually their email address – and a password. These two pieces of information must be provided, verified and verified before the user can access the account.
Dictionary attacks are a family of cyber attacks that share a common attack technique. They use long lists – sometimes entire databases – of words and software. The software in turn reads each word from the list and tries to use it as the password for the account being attacked. If one of the words in the list matches the real password, the account is compromised.
These attacks differ from the more primitive type of brute-force attack. Brute-force attacks attempt random combinations of letters and characters in the hope that they stumble upon the password by chance and luck. These attacks are ineffective. They are time consuming and computationally intensive.
The effort required to crack a password increases massively with each additional letter you add to your password. There are orders of magnitude more combinations in an eight-character password than in a five-character password. There is no guarantee that a brute-force attack will ever succeed. But with dictionary attacks, if one of the entries in the list matches your password, the attack will succeed.
Of course, most corporate networks will implement automatic account lockouts after a certain number of failed access attempts. Very often, however, the threat actors start with the company websites, which often have less strict controls on access attempts. And if they get access to the website, they can try this information in the corporate network. If the user has used the same password again, the threat actors are now in your corporate network. In most cases, the website or portal is not the real target. It’s a staging post on the way at the actual price of the threat actor – the corporate network
By gaining access to the website, threatening actors can inject malware that monitors login attempts and registers user IDs and passwords. It will either send the information to the threat actors or log it until they return to the website to collect it.
Not just words in a file
The earliest dictionary attacks were just that. They used words from the dictionary. This is why “never use dictionary words” was part of the guide to choosing a strong password.
Ignoring this advice and choosing a dictionary word anyway and then adding a number to it so that it did not match a word in the dictionary is just as bad. The threat actors who write the software for dictionary attacks are wise with this. It developed a new technology that tries every word from the list, many times. For each attempt, a few numbers are added at the end of the word. This is because people often use a word and add a number like 1, then 2 and so on, every time they need to change their password.
Sometimes they add a two- or four-digit number to represent a year. It can represent a birthday, an anniversary, the year your team won the cup or any other important event. Because people use the names of their children or significant others as passwords, the glossaries were expanded to include male and female names.
And the software was developed again. Schemes that replace numbers for letters, such as 1 for “i”, 3 for “e”, 5 for “s”, and so on do not add any significant complexity to your password. The software knows the conventions and also works through these combinations.
Today, all of these techniques are still used, along with other lists that do not contain glossaries. They contain actual passwords.
Where do the password lists come from
The well-known Have I Been Pwned website stores a searchable collection of over 10 billion compromised accounts. Every time there is a data breach, the site’s maintainers try to get the information. If they succeed in acquiring it, they add it to their databases.
You are free to search their email address database. If your e-mail address is in the database, you will know which data breach has leaked your information. For example, I found one of my old email addresses in Have I been pwned database. It was leaked in the 2016 violation of the LinkedIn website. This means that my password for that site would also have been broken. But since all my passwords are unique, I had to change the password for this site.
Have I been pwned has a separate database for passwords. You can not match email address to password on Have I been pwned website, for obvious reasons. If you search for your password and find it in the list, it does not necessarily mean that the password comes from one of your accounts. With 10 billion broken accounts, there will be duplicate records. The interesting thing is that you get to know how popular the password is. You thought your passwords were unique? Probably not.
But if the password in the database came from one of your accounts or not, if it is on Have I been pwned website, there will be password lists used by the threat players’ attack software. It does not matter how incorrect or unclear your password is. If it’s in the password list, it can not trust it – so change it immediately.
Variations of password guessing attacks
Even with relatively low-brow attacks such as dictionary attacks, the attacker could use some simple research to try to make the software’s job easier.
For example, they may register or partially register on the website they want to attack. They will then be able to see the password complex rules for that website. If the minimum length is eight characters, the software can be set to start with eight-character strings. It makes no sense to test all four, five, six and seven character strings. If there are no characters allowed, they can be removed from the “alphabet” that the software can use.
Here is a brief description of different types of list-based attacks.
- Traditional Brute-Force Attack: Actually, this is not a list-based attack. A dedicated, specially written software package generates all combinations of letters, numbers and other characters such as punctuation and symbols in gradually longer strings. It tries everyone as a password on the account under attack. If a coincidence is generated that matches the password for the account under attack, that account is compromised.
- Dictionary Attack: A dedicated, specially crafted software package takes one word at a time from a list of dictionary words and attempts them as passwords against the account being attacked. Transformations can be applied to dictionary words such as adding numbers to them and replacing numbers with letters.
- Attack password search: Similar to a dictionary attack, but the dictionaries contain actual passwords. Automated software reads one password at a time from a huge list of passwords collected from data breaches.
- Intelligent password lookup: Like a password attack, but conversions of each password are tried as well as the “naked” password. The transformations mimic common password tricks like substituting numbers for vowels.
- API Attack: Instead of trying to crack a user’s account, these attacks use software to generate character strings that they hope match a user’s key for an application programming interface. If they can access the API, they may be able to use it to filter out sensitive information or intellectual property.
A word about passwords
Passwords must be robust, unique and not related to anything that can be discovered or derived about you, such as the children’s name. Password phrases are better than passwords. Three unrelated words associated with certain punctuation marks are a very strong template for a password. Counterintuitively, passphrases usually use dictionary words, and we have always been warned not to use dictionary words in passwords. But combining them in this way creates a very difficult problem for the attack software to solve.
We can use the website How secure is my password to test the strength of our passwords.
- molnavvyit: Estimated crack time: three weeks.
- cl0uds4vvy1t: Estimated time to crack: three years.
- thirty. fjäder.girder: Estimated time to crack: 41 quadrillion years!
And do not forget the golden rule. Passwords may only be used on a system or website. They must never be used in more than one place. If you use passwords in more than one system and one of these systems is broken, all websites and systems that you have used that password are at risk because your password falls into the hands of the threatening actors – and in their passwords. Whether your password takes 41 quadrillion years or not, whether it is in their password lists, the crack time is completely irrelevant.
If you have too many passwords to remember, use a password manager.
RELATED: Why you should use a password manager and how to get started
How to protect against brutal force attacks
A layered defensive strategy is always best. No single defensive action will make you immune to dictionary attacks, but there are a number of actions you can consider that will complement each other and greatly reduce the risk of you being susceptible to these attacks.
- Enable multifactor authentication where it’s possible. This provides something physical that the user owns – such as a cell phone or a USB key or fob – in the equation. Information sent to an app on the phone or information in the fob or USB key is included in the authentication process. User IDs and passwords on their own are insufficient to access the system.
- Use robust passwords and passphrases which are unique and stored securely in encrypted form.
- Create and launch a password policy which regulates the use, protection of and acceptable wording of passwords. Introduce it to all staff and make it mandatory.
- Restrict login attempts to a low number. Either lock the account when the number of failed attempts has been reached or lock it and force a password change.
- Enable captchas or other secondary image-based authentication steps. These are meant to stop bots and password software because a human has to interpret the image.
- Consider using a password manager. A password manager can create complex passwords for you. Remember which password matches which account so you do not need. A password manager is the easiest way to have cast iron, unique passwords for each individual account you need to keep track of.