Dictionary attacks threaten the security of your networks and platforms. They try to compromise a user account by generating a matching password. Learn how they work and how to beat them.
User accounts on computer systems, web sites, and hosted services need to be protected from unauthorized access. User authentication is the most common way to do this. Users are given a unique user ID—for online accounts, this is usually their email address—and a password. These two bits of information must be provided, checked, and verified before the user can access the account.
Dictionary attacks are a family of cyberattacks that share a common attack technique. They use long lists—sometimes entire databases–of words and a piece of software. The software reads each word from the list in turn and tries to use it as the password for the account under attack. If one of the words in the list matches the genuine password, the account is compromised.
These attacks differ from the more primitive brute-force type of attack. Brute-force attacks try random combinations of letters and characters in the hope that they stumble upon the password by chance and good luck. These attacks are inefficient. They are time-consuming and computationally intensive.
The effort needed to crack a password rises massively with each extra letter you add to your password. There are orders of magnitude more combinations in an eight-character password than there are in a five-character password. There is no guarantee a brute-force attack will ever succeed. But with dictionary attacks, if one of the entries in the list matches your password, the attack will leventually succeed.
Of course, most corporate networks will enforce automatic account lock-outs after a set number of failed access attempts. Very often though the threat actors start with the corporate websites, which often have less stringent controls on access attempts. And if they gain access to the website they can try those credentials on the corporate network. If the user has re-used the same password, the threat actors are now in your corporate network. In most cases, the website or portal isn’t the real target. It is a staging post en route to the threat actor’s actual prize—the corporate network
Gaining access to the website allows threat actors to inject malicious code that will monitor login attempts and record the user IDs and passwords. It will either send the information to the threat actors or log it until they return to the site to collect it.
Not Just Words in a File
The earliest dictionary attacks were just that. They used words from the dictionary. This is why “never use a dictionary word” was part of the guidance on choosing a strong password.
Disregarding this advice and choosing a dictionary word anyway, then adding a digit to it so that it didn’t match a word in the dictionary, is just as poor. The threat actors who write the dictionary attack software are wise to this. The developed a new technique that tries each word from the list, many times. With each attempt, some digits are added to the end of the word. This is because people often use a word and append a digit such as 1, then 2, and so on, each time they have to change their password.
Sometimes they add a two or four-digit number to represent a year. It might represent a birthday, anniversary, the year your team won the cup, or some other significant event. Because people use the name of their children or significant other as passwords the dictionary lists were expanded to include male and female names.
And the software evolved again. Schemes that substitute numbers for letters, such as 1 for “i”, 3 for “e”, 5 for “s”, and so on add no significant complexity to your password. The software knows the conventions and works through those combinations too.
Nowadays all of these techniques are still used, along with other lists that don’t hold standard dictionary words. They contain actual passwords.
Where the Lists of Passwords Come From
The well-known Have I Been Pwned website stores a searchable collection of over 10 billion compromised accounts. Each time there is a data breach, the maintainers of the site attempt to obtain the data. If they manage to acquire it they add it to their databases.
You can freely search their email address database. If your email address is found in the database you are told which data breach leaked your information. For example, I found one of my old email addresses in the Have I Been Pwned database. It was leaked in a 2016 breach of the LinkedIn website. That means my password for that site would also have been breached. But because all of my passwords are unique all I had to do was change the password for that one site.
Have I Been Pwned has a separate database for passwords. You cannot match emails address to passwords on the Have I Been Pwned site, for obvious reasons. If you search for your password and find it in the list it doesn’t necessarily mean that the password came from one of your accounts. With 10 billion breached accounts there are going to be duplicated entries. The interesting point is you are told how popular that password is. You thought your passwords were unique? Probably not.
But whether the password in the database came from one of your accounts or not, if it is on the Have I Been Pwned website it is going to be password lists used by the threat actors’ attack software. It doesn’t matter how arcane or obscure your password is. If it is in the password lists it cannot be relied upon—so change it immediately.
Variations of Password-Guessing Attacks
Even with relatively low-brow attacks like dictionary attacks, the attacker can use some simple research to try to make the software’s job easier.
For example, they may sign-up or partially sign-up on the site they wish to attack. They will then be able to see the password complexity rules for that site. If the minimum length is eight characters the software can be set to start at strings of eight characters. There is no point in testing all of the four, five, six, and seven-character strings. If there are disallowed characters they can be removed from the “alphabet” that the software can use.
Here is a short description of different types of list-based attacks.
- Traditional Brute-Force Attack: Actually, this isn’t a list-based attack. A dedicated, purpose-written software package generates all combinations of letters, numbers, and other characters such as punctuation and symbols, in progressively longer strings. It tries each one as the password on the account under attack. If it happens to generate a combination of characters that matches the password for the account under attack, that account is compromised.
- Dictionary Attack: A dedicated, purpose-written software package takes one word at a time from a list of dictionary words, and tries them as the password against the account under attack. Transformations can be applied to the dictionary words such as adding digits to them and substituting digits for letters.
- Password Look-Up Attack: Similar to a dictionary attack, but the word lists contain actual passwords. Automated software reads a password at a time from a huge list of passwords collected from data breaches.
- Intelligent Password Look-Up Attack: Like a password attack, but transformations of each password are tried as well as the “naked” password. The transformations emulate commonly used password tricks such as substituting vowels for digits.
- API Attack: Instead of trying to crack a user’s account, these attacks use software to generate strings of characters they hope will match a user’s key for an Application Programming Interface. If they can get access to the API they may be able to exploit it to exfiltrate sensitive information or intellectual copyright.
A Word About Passwords
Passwords should be robust, unique, and unrelated to anything that could be discovered or deduced about you such as children’s names. Passphrases are better than passwords. Three unrelated words joined by some punctuation is a very strong template for a password. Counter-intuitively, pass-phrases commonly use dictionary words, and we’ve always been warned not to use dictionary words in passwords. But combining them in this way creates a very difficult problem for the attack software to solve.
We can use the How Secure Is my Password website to test the strength of our passwords.
- cloudsavvyit: Estimated time to crack: three weeks.
- cl0uds4vvy1t: Estimated time to crack: three years.
- thirty.feather.girder: Estimated time to crack: 41 quadrillion years!
And don’t forget the golden rule. Passwords must only ever be used on one system or website. They must never be used in more than one place. If you use passwords in more than one system and one of those systems is breached, all of the sites and systems you’ve used that password on are at risk because your password will be in the threat actors’ hands—and in their password lists. Whether or not your password takes 41 quadrillion years to crack, if it is in their password lists the crack time is completely irrelevant.
If you’ve got too many passwords to remember, use a password manager.
How to Protect Against Brute-Force Attacks
A layered defensive strategy is always best. No single defensive measure is going to make you immune to dictionary attacks, but there are a number of measures that you can consider that will complement each other and greatly reduce the risk that you are susceptible to these attacks.
- Enable multi-factor authentication where possible. This brings something physical that the user owns—such as a cell phone or a USB key or fob—into the equation. Information that is sent to an app on the phone, or information in the fob or USB key is incorporated into the authentication process. The user ID and password on their own are insufficient to gain access to the system.
- Use robust passwords and passphrases that are unique, and stored securely in an encrypted form.
- Create and roll-out a password policy that governs the use, protection of, and acceptable formulation of passwords. Introduce it to all staff, and make it mandatory.
- Limit log-in attempts to a low number. Either lock the account when the number of failed attempts has been reached, or lock it and force a password change.
- Enable captchas or other secondary, image-based authentication steps. These are intended to stop bots and password software because a human has to interpret the image.
- Consider using a password manager. A password manager can generate complex passwords for you. It remembers which password goes with which account so you don’t need to. A password manager is the easiest way to have cast-iron, unique passwords for every single account you need to keep track of.