Dictionary Attack

Dictionary attacks may be applied in two main situations:

in cryptanalysis, in trying to determine the decryption key for a given piece of ciphertext;

in computer security, in trying to circumvent an authentication mechanism for accessing a computer system by guessing passwords.

In the latter case, the effectiveness of a dictionary attack can be greatly reduced by limiting the number of authentication attempts that can be performed each minute, and even blocking further attempts after a threshold of failed authentication attempts is reached. Generally, 3 attempts is considered sufficient to cope with mistakes made by legitimate users; beyond that, one can safely assume that the user is a malicious attacker.

There is some commonality between these situations. For instance, an eavesdropper may record a Challenge-response Authentication exchange between two parties and use a dictionary attack to try to determine what the password was. Or, an attacker may be able to obtain a copy of the list of encrypted Password s from a remote system; assuming the users are mostly English speakers, the attacker could attempt to guess the passwords at their leisure, by encrypting each of a list of English words and comparing each encryption against the stored encrypted version of users' passwords. Since users often choose easily guessed passwords, this has historically succeeded about 4 times out of 10 when a reasonably large list is used. Dictionaries for most human languages (even those no longer used) are easily accessible on the Internet , meaning even the use of foreign words is practically useless in preventing dictionary attacks.

It is possible to achieve a Time-space Tradeoff through precomputation by encrypting and storing a list of encrypted dictionary words, sorted by the encrypted 'value'. This requires a large amount of storage and often a considerable amount of preparation time, but makes the actual attack almost instantaneous. It is particularly effective when a large number of passwords are to be cracked at once. Salting is a technique that forces the encrypted dictionary to be recomputed for each password sought, potentially making precomputation impossible, provided the salt is large enough.

An example of a dictionary attack occurred in the Second World War , when British Codebreaker s working on German Enigma -ciphered messages used the German word ''eins'' as part of the attack; ''eins'', the word for the number one, appeared in 90% of all ciphertexts, as the Enigma machine's keyboard had no numerals (some might classify this as a Known Plaintext Attack ).

Clifford Stoll 's book, '' The Cuckoo's Egg '', contains an account of a dictionary attack against the encrypted passwords kept in the Passwd file on Unix systems, and of the reaction to the successful attack by the man ( Robert Morris ) who invented the one-way encryption system used for login passwords.

SEE ALSO

Brute Force Attack

Password Cracking

Key Derivation Function

EXAMPLES

Well known examples of dictionary attack software tools:

Crack by Alec Muffett

John The Ripper

L0phtCrack

Cain_(software)

EXTERNAL LINKS

US Secret Service use a distributed dictionary attack on suspect's password protecting encryption keys

Wordlist Library

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT DICTIONARY ATTACK

	cryptographic attacks

Information About

Dictionary Attack