Understanding a Dictionary Attack

A dictionary attack is a method used in cryptanalysis to find a password or a key. It is basically testing a series of potential passwords, one after another, hoping that the password used for encryption is in the dictionary. If this is not the case, the attack will fail.

This method relies on the fact that many people use passwords which can be found in a dictionary. For this reason, it is always advisable to think carefully before choosing a password.

The dictionary attack is a method often used in addition to the attack by brute force, which is to thoroughly test the various possibilities of passwords. The latter is particularly effective for passwords not exceeding 5 or 6 characters.

Contents of the dictionary and rules

In addition to the usual content of a dictionary, which contains a set of words, the dictionary can be greatly improved by combining the words or by applying certain rules. For example, for every word, we can try to change case of letters or replace them with their equivalents in leet speak. Another trick is to repeat the word twice (eg "boatboat"), in the hope that the user should use this method to strengthen an unsafe password. You can also generate dictionaries, for example plate numbers of Social Security numbers, birth dates, etc..

Software

The software John the Ripper, best known in this area is provided with a list of rules that allow space to expand research and explore the classic flaws in the development of passwords or keys by users. There are dictionaries containing several million words and which are not supplied with the software. I should also mention L0phtCrack and Cain & Abel that provide similar services.

However, this type of software is not necessarily used in a malicious purpose. These tools can be useful for administrators who want to secure passwords and warn users about the risks involved.

Detection

It is possible to detect brute-force attacks by limiting the duration between two attempts of authentication, thus greatly increasing the duration of decoding. Alternatively, the system of smart cards (eg credit card) or SIM cards that blocks the system after 3 unsuccessful attempts which makes it impossible for any attack by brute force.

Hashing passwords

In applications, passwords are often stored in the form of a hash from which it is very difficult to find the contents of the password. Some dictionaries used for attacks include the results of signatures passwords, which is the most common. An attacker with access to the results of hashing passwords could guess the original password.

A good practice is to not use a single key for each use (email, web-sites, credit card) but to randomly generate one for each record. This way, if a person gets your email password it will be different from your web-site. Thus saving your web-sit from misuse.