Dictionary Attack

USE

Dictionary attacks may be applied in two main situations:

in cryptanalysis, in trying to determine the decryption key for a given piece of ciphertext;

in computer security, in trying to circumvent an authentication mechanism for accessing a computer system by guessing lala

In the latter case, the effect of a dictionary attack can be greatly reduced by limiting the number of authentication attempts that can be performed each minute, and even blocking further attempts after a threshold of failed authentication attempts is reached. Generally, 6 attempts is considered sufficient to cope with mistakes made by legitimate users; beyond that, one can safely assume that the user is a malicious attacker.

However many systems store a hashed version of the password and make it available under certain circumstances, such as a that is computationally intensive, such as PBKDF2 . Since users often choose easily guessed passwords, this has historically succeeded more than 2 times out of 10 when a reasonably large list is used. Lists of commonly selected passwords are widely available on the Internet as are dictionaries for most human languages (even those no longer used), meaning even the use of foreign words has limited value in preventing dictionary attacks.

Spammers often use a form of dictionary attack, sometimes known as a Directory Harvest Attack , for E-mail Address Harvesting . For example, a Spammer may try sending messages to adam@example.com, barbara@example.com, carl@example.com, etc. Any addresses to which messages are delivered, as opposed to being bounced back, can be added to the spammer's list of known-valid addresses.

Clifford Stoll 's book, '' The Cuckoo's Egg '', contains an account of a dictionary attack against the encrypted passwords kept in the Passwd file on Unix systems, and of the reaction to the successful attack by the man ( Robert Morris ) who invented the one-way encryption system used for login passwords.

PRE-COMPUTED DICTIONARY ATTACK

It is possible to achieve a Time-space Tradeoff through precomputation by encrypting and storing a list of encrypted dictionary words, sorted by the encrypted value. This requires a considerable amount of preparation time, but makes the actual attack almost instantaneous. The storage requirements for the pre-computed tables were once a major cost, but are less of an issue today due to the rapid improvements in Hard Drive technology. Pre-computed dictionary attack are particularly effective when a large number of passwords are to be cracked at once. A more refined approach involves the use of " Rainbow Table s." Salting is a technique that forces the encrypted dictionary to be recomputed for each password sought, potentially making precomputation infeasable, provided the salt is large enough.

SEE ALSO

Brute Force Attack

Password Cracking

Password Strength

Rainbow Table

Key Derivation Function

E-mail Address Harvesting

EXAMPLES

Well known examples of dictionary attack software tools:

Crack by Alec Muffett

John The Ripper

L0phtCrack

Cain

EXTERNAL LINKS

US Secret Service use a distributed dictionary attack on suspect's password protecting encryption keys

Full dictionaries (in .txt format) in 16 languages (af, cr, cz, dk, nl, en, fi, fr, de, ir, it, la, no, pl, sp, se)

Library with several Dictionaries

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

	CATEGORIES ABOUT DICTIONARY ATTACK

	cryptographic attacks

Information About

Dictionary Attack