A dictionary attack is types of cybersecurity attacks in which an attacker tries password-guessing technique or method used to breach the computer by breaking into a password-protected computer or server by systematically entering each word in a dictionary as a password or trying to determine the decryption key of an encrypted message or document in the hope that one of these password guesses will be the user’s actual password. In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed because many users and businesses use ordinary words as passwords.
What type of Password can be easily hacked by a dictionary attack
- Variations on the user’s first or last name, initials, account name, and other relevant personal information (such as address and telephone number, pet’s name, and so on).
- Words from various databases such as male and female names, places, cartoon characters, films, myths, and books
- Spelling variations and permutations of the above words, such as replacing the letter “o” with the number “0,” using random capitalization, and so on.
- Common word pairs.
How to Prevent dictionary attack?
Strengthen your password requirements
Probably the most simple to implement and most effective as well. Increase password complexity requirements, such as requiring specific symbols, numbers, and/or uppercase letters. Any of these restrictions will encourage someone to make an uncommon password and not use a password that is found in the dictionary. Requiring a minimum length (8 characters is likely sufficient in combination with several other options below) helps as well.
Modern systems typically require users to cycle passwords regularly. Some corporate environments require users to change passwords every 90 days, or maybe even every 30 days. The rationale behind this is that an attacker who is attempting a brute-force attack against a complex password would need weeks to succeed. If the password changes during that time frame, the attacker will need to start over. However, as many users would confess, these strict password requirements can backfire, with users choosing weaker, sequential passwords (‘longhorns2018,’ ‘longhorns2019,’ and so on). An attacker would quickly try incrementing the password.
Countering a Brute Force Attack with a Strong Password Policy
- Minimum length of at least seven characters.
- Must include both upper and lower case characters.
- Must include numeric characters.
- Must include punctuation.
These guidelines may seem overly strict, but there is little chance that a password created with these restrictions will be found with a brute force attack. There are almost 70 trillion combinations of characters that can be seven digits long and can include upper case characters, lower case characters, numbers, and punctuation. Even a dictionary attack tool that could make one hundred requests per second would still take over 11,000 years before it would be statistically likely to guess the password.
Obviously, most Web sites will want to block a dictionary attack much sooner than 11,000 years into the attack. Many organizations use an intrusion detection system (IDS) to detect an abnormally high number of requests coming from a single user. This is a good idea, but it is not sufficient to prevent brute force attack. A clever hacker will simply reduce the bandwidth used by his automated tool until it falls under the alert threshold of the IDS.
Disable Root User Login
Disable root login for remote connections. Root is a common username and is common for brute force attack. I won’t go into detail here, but you can read more about When you should disable root login.. or not and Simple security tricks to harden a new Linux server.