HOME

TheInfoList



Click Here for Items Related To - Dictionary Attack
OR:
Dictionary Attack on:   [Wikipedia]   [Google]   [Amazon]

In
cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
and
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a
cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
or authentication mechanism by trying to determine its decryption key or
passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
, sometimes trying thousands or millions of likely possibilities often obtained from lists of past security breaches.


Technique

A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase ''dictionary attack''); however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches. There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful, since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword
passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
, using a
password manager A password manager is a software program to prevent password fatigue by Random password generator, automatically generating, Autofill, autofilling and storing Password, passwords. It can do this for Application software, local applications or web ...
program or manually typing a password. Dictionary attacks can be deterred by the server administrator by using a more computationally expensive hashing algorithm.
Bcrypt bcrypt is a password-hashing function designed by Niels Provos and David Mazières. It is based on the Blowfish (cipher), Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt (cryptography), salt to protect against rain ...
,
scrypt In cryptography, scrypt (pronounced "ess crypt") is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly t ...
, and Argon2 are examples of such resource intensive functions that require significant computational power to process, allowing for large improvements in security against dictionary attacks. While other hashing functions, such as SHA and MD5, are much faster and less expensive to compute, they can still be strengthened by being applied multiple times to an input string through a process called key stretching. An attacker would have to know approximately how many times the function was applied for a dictionary attack to be feasible.


Pre-computed dictionary attack/Rainbow table attack

It is possible to achieve a time–space tradeoff by pre-computing a list of hashes of dictionary words and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but this allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but now they are less of an issue because of the low cost of
disk storage Disc or disk may refer to: * Disk (mathematics) In geometry, a disk (Spelling of disc, also spelled disc) is the region in a plane (geometry), plane bounded by a circle. A disk is said to be ''closed'' if it contains the circle that constitut ...
. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary needs be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup-times. ''See'' LM hash for an example of an authentication system compromised by such an attack. Pre-computed dictionary attacks, or "rainbow table attacks", can be thwarted by the use of
salt In common usage, salt is a mineral composed primarily of sodium chloride (NaCl). When used in food, especially in granulated form, it is more formally called table salt. In the form of a natural crystalline mineral, salt is also known as r ...
, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible, provided that the number of possible salt values is large enough.


Dictionary attack software

*
Cain and Abel In the biblical Book of Genesis, Cain and Abel are the first two sons of Adam and Eve. Cain, the firstborn, was a farmer, and his brother Abel was a shepherd. The brothers made sacrifices, each from his own fields, to God. God had regard for Ab ...
* Crack * Aircrack-ng * John the Ripper * Hashcat * L0phtCrack * Metasploit Project * Ophcrack * Cryptool


See also

* Brute-force attack *E-mail address harvesting * Intercontinental Dictionary Series, an online linguistic database *
Key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...
* Key stretching * Password cracking * Password strength


References


External links

* – Internet Security Glossary * – Internet Security Glossary, Version 2
US Secret Service use a distributed dictionary attack on suspect's password protecting encryption keysTesting for Brute Force (OWASP-AT-004)
{{Webarchive, url=https://web.archive.org/web/20200114052332/https://www.owasp.org/index.php/Testing_for_Brute_Force#Brute_force_Attacks, date=2020-01-14 Cryptographic attacks