Dictionary attacks threaten the security of your networks and platforms. They try to compromise a user account by generating a corresponding password. Learn how they work and how to beat them.
User accounts on computer systems, websites and hosted services must be protected from unauthorized access. Authenticating users is the most common way to do this. Users are given a unique user ID (for online accounts, this is usually their email address) and a password. These two pieces of information must be provided, verified and verified before the user can access the account.
Dictionary attacks are a family of cyber attacks that share a common attack technique. They use long lists – sometimes entire databases – of words and software. The software reads each word in the list in turn and tries to use it as the password for the attacked account. If any of the words in the list match the genuine password, the account is compromised.
These attacks differ from the more primitive type of brute force attack. Brute force attacks attempt random combinations of letters and characters in the hope that they stumble upon the password by chance and good luck. These attacks are ineffective. They take a lot of time and calculations.
The effort required to crack a password increases massively with every additional letter you add to your password. There are orders of magnitude more combinations in an eight-character password than in a five-character password. There is no guarantee that a brute force attack will ever succeed. But with dictionary attacks, if one of the entries in the list matches your password, the attack will eventually succeed.
Of course, most corporate networks will apply automatic account locks after a set number of unsuccessful access attempts. Quite often, threat actors start with corporate websites, which often have less stringent controls on access attempts. And if they have access to the website, they can try those credentials on the corporate network. If the user reused the same password, the threat actors are now in your corporate network. In most cases, the website or portal is not the real target. It’s a staging post on the way at the real price of the threatening actor: the corporate network
Access to the website allows threat actors to inject malicious code that will monitor login attempts and record user IDs and passwords. It will send the information to the threat actors or record it until they come back to the site to collect it.
Not just words in a file
The first dictionary attacks were just that. They used words from the dictionary. This is why “never use a word from the dictionary” was part of the advice on choosing a strong password.
Disregarding this advice and picking a word from the dictionary anyway, then adding a number to it so that it doesn’t match a word from the dictionary, is just as poor. The threat actors who write the dictionary attack software are notified of this. The developed a new technique that tries every word on the list multiple times. On each attempt, numbers are added at the end of the word. This is because people often use a word and add a number such as 1, then 2, etc., every time they need to change their password.
Sometimes they add a two or four digit number to represent a year. It could be a birthday, anniversary, the year your team won the cup, or some other big event. Because people use the names of their children or other loved ones as passwords, dictionary lists have been expanded to include both male and female names.
And the software evolved again. Patterns that substitute numbers for letters, such as 1 for “i”, 3 for “e”, 5 for “s”, and so on. add no significant complexity to your password. The software knows the conventions and also works through these combinations.
Today, all of these techniques are still in use, as well as other lists that do not contain standard dictionary words. They contain real passwords.
Where do the password lists come from?
The well-known Have i been pwned The website stores a searchable collection of over 10 billion compromised accounts. Whenever there is a data breach, the site managers attempt to obtain the data. If they manage to acquire it, they add it to their databases.
You can freely search their database of email addresses. If your email address is in the database, you are told which data breach leaked your information. For example, I found one of my old email addresses in the Have i been pwned database. It was leaked during a LinkedIn website breach in 2016. This means that my password for that site was also allegedly breached. But since all of my passwords are unique, all I had to do was change the password for this site.
Have i been pwned has a separate database for passwords. You cannot match the email address to the passwords on the Have i been pwned site, for obvious reasons. If you search for your password and find it in the list, it doesn’t necessarily mean the password is from one of your accounts. With 10 billion accounts hacked, there will be duplicate entries. The interesting point is that you are told how popular this password is. Did you think your passwords were unique? Probably not.
But whether or not the database password comes from one of your accounts, if it is on the Have i been pwned website, these will be lists of passwords used by the threat actors’ attack software. It doesn’t matter how obscure or obscure your password is. If it is in the password lists it cannot be trusted – change it immediately.
Variants of password simulation attacks
Even with relatively low-level attacks like dictionary attacks, the attacker can use simple searches to try to make the software’s job easier.
For example, they can register or partially register on the site they wish to attack. They will then be able to see the password complexity rules for that site. If the minimum length is eight characters, the software can be configured to start with eight character strings. You do not need to test all four, five, six, and seven character strings. If there are prohibited characters, they can be removed from the “alphabet” that the software can use.
Here is a brief description of the different types of list-based attacks.
- Traditional brute force attack: Actually, this is not a list-based attack. A dedicated and specially designed software package generates all combinations of letters, numbers and other characters such as punctuation and symbols, in increasingly long strings. He tries each as a password on the attacked account. If it manages to generate a combination of characters corresponding to the password of the attacked account, that account is compromised.
- Dictionary attack: A dedicated and specially designed software package takes one word at a time from a dictionary wordlist and tries them as the password for the attacked account. Transformations can be applied to words in the dictionary, for example by adding numbers to them and substituting numbers for letters.
- Password Lookup Attack: Similar to a dictionary attack, but wordlists contain real passwords. Automated software reads one password at a time from a huge list of passwords collected from data breaches.
- Intelligent password finder attack: Like a password attack, but the transformations of each password are attempted as well as the “naked” password. The transformations emulate commonly used password tricks such as substituting vowels for numbers.
- API attack: Instead of trying to hijack a user’s account, these attacks use software to generate strings that they hope match a user’s key to an application programming interface. If they can access the API, they may be able to exploit it to exfiltrate sensitive information or intellectual copyright.
A word about passwords
Passwords should be strong, unique, and unrelated to anything that might be discovered or inferred about you, such as children’s names. Passphrases are better than passwords. Three unrelated words with punctuation marks make a very strong template for a password. Counterintuitively, passphrases commonly use dictionary words, and we’ve always been warned not to use dictionary words in passwords. But combining them in this way creates a very difficult problem for the attack software to solve.
We can use the How secure is my password website to test the strength of our passwords.
- cloudsavvyit: Estimated time to crack: three weeks.
- cl0uds4vvy1t: Estimated cracking time: three years.
- thirty.feather.girder: Estimated time to crack: 41 quadrillion years!
And don’t forget the golden rule. Passwords should only be used on one system or website. They should never be used in more than one location. If you use passwords in more than one system and one of those systems is breached, all sites and systems where you have used that password are at risk because your password will be in the hands the authors of the threat – and in their password lists. Whether or not your password takes 41 quadrillion years to crack or not, if it’s in their password lists, hack time doesn’t matter.
If you have too many passwords to remember, use a password manager.
How to protect yourself against brute force attacks
A layered defensive strategy is always the best. No defensive measures will make you immune to dictionary attacks, but there are a number of measures that you can consider that will complement each other and significantly reduce the risk that you are vulnerable to these attacks.
- Enable multi-factor authentication when possible. It brings something physical that the user has, such as a cell phone or a USB stick or a key ring, into the equation. Information sent to an application on the phone or information contained in the key fob or USB stick is incorporated into the authentication process. The user ID and password alone are insufficient to access the system.
- Use strong passwords and passphrases which are unique and securely stored in an encrypted form.
- Create and deploy a password policy which governs the use, protection and acceptable wording of passwords. Present it to all staff and make it mandatory.
- Limit connection attempts to a small number. Either lock the account when the number of failed attempts has been reached, or lock it and force a password change.
- Activate captchas or other secondary image-based authentication steps. These are meant to stop bots and software from passwords because a human has to interpret the image.
- Consider using a password manager. A password manager can generate complex passwords for you. It remembers the password associated with which account, so you don’t have to. A password manager is the easiest way to have unique, cast-iron passwords for each account that you need to keep track of.