A dictionary attack is a type of cybersecurity attack in which an attacker tries password-guessing technique or method used to breach the computer by breaking into a password-protected computer or server by systematically entering each word in a dictionary.
As a password or trying to determine the decryption key of an encrypted message or document in the hope that one of these password guesses will be the user’s actual password.
In contrast with a brute force attack, where a large proportion of key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed because many users and businesses use ordinary words as passwords.
Dictionary attacks are rarely successful against systems that employ multiple-word phrases and unsuccessful against systems that employ random combinations of uppercase and lowercase letters mixed up with numerals.
In those systems, the brute-force method of attack (in which every possible combination of characters and spaces is tried up to a certain maximum length) can sometimes be effective, although this approach can take a long time to produce results.
What type of Password can be easily hacked by a dictionary attack
Since most passwords are chosen by users, it stands to reason that most passwords are or contain common words. There are a little over a million words in the English language, while there are 308,915,776 possible combinations of 6 letters.
Most attackers will take this into account when attempting to intrude on your system, and make use of word lists in combination with common password lists such as:
- Variations on the user’s first or last name, initials, account name, and other relevant personal information (such as address and telephone number, pet’s name, and so on).
- Words from various databases such as male and female names, places, cartoon characters, films, myths, and books
- Spelling variations and permutations of the above words, such as replacing the letter “o” with the number “0,” using random capitalization, and so on.
- Common word pairs.
How to Prevent dictionary attack?
A slightly delayed response from the server prevents a hacker or spammer from checking multiple passwords within a short period of time.
Strengthen your password requirements
Probably the most simple to implement and most effective as well. Increase password complexity requirements, such as requiring specific symbols, numbers, and/or uppercase letters. Any of these restrictions will encourage someone to make an uncommon password and not use a password that is found in the dictionary. Requiring a minimum length (8 characters is likely sufficient in combination with several other options below) helps as well.
Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, or maybe even every 30 days. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed.
If the password changes during that time frame, the attacker will need to start over. However, as many users would confess, these strict password requirements can backfire, with users choosing weaker, sequential passwords (‘longhorns2018,’ ‘longhorns2019,’ and so on). An attacker would quickly try incrementing the password.
Even better, a system can be configured to lock an account after a specified number of attempted logins. Many websites will trigger additional protections for accounts with repeated bad password attempts. In the extreme case, for example, an iPhone will self-destruct after 10 tries.
Countering a Brute Force Attack with a Strong Password Policy
The primary defense against a brute force attack must be enforcement of a strong password policy. As mentioned earlier, dictionary words make poor passwords. Password size is also important: the longer the password, the more difficult it will be to force. While there is no strict definition of a strong password that will be harder to determine via a dictionary attack, some good guidelines would be:
- Minimum length of at least seven characters.
- Must include both upper and lower case characters.
- Must include numeric characters.
- Must include punctuation.
These guidelines may seem overly strict, but there is little chance that a password created with these restrictions will be found with a brute force attack.
There are almost 70 trillion combinations of characters that can be seven digits long and can include upper case characters, lower case characters, numbers, and punctuation. Even a dictionary attack tool that could make one hundred requests per second would still take over 11,000 years before it would be statistically likely to guess the password.
Obviously, most Web sites will want to block a dictionary attack much sooner than 11,000 years into the attack. Many organizations use an intrusion detection system (IDS) to detect an abnormally high number of requests coming from a single user.
This is a good idea, but it is not sufficient to prevent a brute force attack. A clever hacker will simply reduce the bandwidth used by his automated tool until it falls under the alert threshold of the IDS.
Disable Root User Login
Disable root login for remote connections. The root is a common username and is common for brute force attacks. I won’t go into detail here, but you can read more about When you should disable root login.. or not and Simple security tricks to harden a new Linux server.