A dictionary attack is a sort of cybersecurity attack in which an attacker uses a password-guessing technique or method to get into a password-protected computer or server by entering each word in a dictionary one by one.
In a dictionary attack, the attacker attempts to guess a password or identify the decryption key of an encrypted message or document in the hopes that one of the guesses will be the user’s true password.
In contrast to a brute force attack, which systematically searches a huge section of the key space, a dictionary attack simply tries the options that are most likely to succeed because many people and businesses use common terms as passwords.
A dictionary attack is rarely successful against systems that use multiple-word phrases and is ineffective against systems that use random uppercase and lowercase letters mixed with numerals.
The brute-force technique of attack (in which every possible combination of characters and spaces is tried up to a specific maximum length) can be effective in those systems, however it takes a long time to generate results.
What type of Password can be easily hacked by a dictionary attack
Because the majority of passwords are created by users, it comes to reason that the majority of passwords are made up of or contain common words. The English language has a little over a million words, but there are 308,915,776 potential combinations of six letters. When attempting to break into your system, most attackers will take this into account and employ word lists in conjunction with standard password lists like:
- Variations on the user’s first or last name, initials, account name, and other relevant personal information (such as address and telephone number, pet’s name, and so on).
- Words from various databases such as male and female names, places, cartoon characters, films, myths, and books
- Spelling variations and permutations of the above words, such as replacing the letter “o” with the number “0,” using random capitalization, and so on.
- Common word pairs.
How to Prevent dictionary attack?
Delayed Response
A server response that is somewhat delayed prevents a hacker or spammer from testing many passwords in a short amount of time.
Strengthen your password requirements
Probably the easiest to apply and the most effective. To protect against dictionary attacks, make password complexity requirements more stringent, such as demanding certain symbols, numerals, and/or capital letters.
Any of these constraints will encourage someone to create a unique password rather than one that is found in a dictionary. A minimum length requirement (8 characters is likely sufficient in combination with several other choices below) is also beneficial.
Refresh passwords
Users of modern systems are usually required to change their passwords on a frequent basis. To protect against a dictionary attack, some business environments require users to update their passwords every 90 days, or even every 30 days. The dictionary attack is justified by the fact that trying a brute-force attack against a complex password would take weeks to accomplish.
The attacker will have to start over if the password changes during that time period.
However, as many users will admit, these stringent password restrictions might backfire, leading to the adoption of weaker, sequential passwords (such as “longhorns2018,” “longhorns2019,” and so on). An attacker would strive to increase the password’s length as rapidly as possible.
Lock accounts
Better yet, a system can be set up to freeze an account after a certain number of failed login attempts. Many websites will enact additional safeguards for accounts that have had multiple failed password attempts. In the worst-case scenario, an iPhone will self-destruct after ten attempts.
Countering a Brute Force Attack with a Strong Password Policy
Enforcing a strong password policy is the first line of defence against a brute force attack. Dictionary words, as previously stated, make horrible passwords. The length of the password is also important: the longer the password, the more difficult it is to guess. While there is no specific definition of a strong password that is difficult to guess using a dictionary attack, the following are some useful guidelines:
- Minimum length of at least seven characters.
- Must include both upper and lower case characters.
- Must include numeric characters.
- Must include punctuation.
These requirements may appear unnecessarily tough, but a brute force attack is unlikely to uncover a password created with these constraints. There are about 70 trillion different character combinations that can be seven digits long and comprise upper case, lower case, numerals, and punctuation.
Even if a dictionary attack tool could make 100 requests per second, it would take over 11,000 years for the password to be statistically probable to be guessed. Obviously, most Web sites will want to protect themselves from a dictionary attack far sooner than 11,000 years.
An intrusion detection system (IDS) is used by many businesses to detect an unusually large number of requests coming from a single user. This is a fine idea, but it isn’t enough to keep a brute force onslaught at bay. A cunning hacker will simply lower the bandwidth required by his automated programme until it falls below the IDS’s alert level.
Disable Root User Login
For remote connections, disable root login. The root is a popular username that is frequently used in brute force attacks. I won’t go into depth here, but you can learn more about When you should deactivate root login… or not and Simple security tactics to harden a new Linux server by reading the articles When you should disable root login… or not and Simple security tricks to harden a new Linux server.
Dictionary attack software
- Cain and Abel
- Crack
- Aircrack-ng
- John the Ripper
- L0phtCrack
- Metasploit Project
- Ophcrack