How a dictionary attack works

Last Updated on July 15, 2018 by Dave Farquhar

A dictionary attack is a common way to steal a password. Here’s how a dictionary attack works, in layperson’s terms. More importantly, here’s how to beat the attack.

A dictionary attack is a much more efficient alternative to brute force hacking, but it requires a local copy of the user database to work. That usually means stealing the database first, if a bad guy is doing it. But nothing stops a company from doing a dictionary attack on its own user accounts to make sure people aren’t using insecure passwords. It’s unusual, but not unheard of.

How a dictionary attack works
A dictionary attack compares millions of precomputed hashes against a stolen list of hashed passwords.

No good system stores passwords as straight plan text. Instead, it stores a hash of the password. It’s not exactly encryption. If you’re sitting for the CISSP exam soon, you need to know the difference. If not, think of it like encryption, or scrambling.

Computing these hashes takes time. But there are a limited number of these hash algorithms. There are also a limited number of passwords that humans actually use. A dictionary attack just stores precomputed hashes for millions of passwords and tries them.

This may make your eyes glaze over but bear with me for a second while we look at some hashed data.

MD5 is an obsolete but still-common method. Here’s what the word password looks like after you hash it with MD5:

5f4dcc3b5aa765d61d8327deb882cf99

Here’s what passw0rd looks like after you hash it with MD5:

bed128365216c019988915ed3add75fb

It’s completely different, even though I changed a single character. As far as the computer is concerned, they’re two completely different words. If I’m a bad guy, my “dictionary” is just a file full of lines like the two in boldface above.

Now, the GCHQ (the British NSA) currently recommends you use four unrelated words as a password. I was skeptical. Then I did the math. Yes, for now, it’s good enough.

Why does this work, when people like me have been saying for years not to use dictionary words in passwords? Well, as long as the words are random and unrelated, it works. Let’s take the infamous XKCD Correct Horse Battery Staple example.

correct:
e5d7cffe25654f7e3a1e334118c71549

horse:
f1bdf5ed1d7ad7ede4e3809bd35644b0

battery:
20c1d18791a246001f5df7867d4e6bf5

staple:
d28fb2e46fb2b90144a4573f0dd84234

correcthorsebatterystaple:
e9f5bd2bae1c70770ff8c6e6cf2d7b76

Notice that all of the hashes are exactly the same length. I can’t derive the fifth one from any of the preceding four. So that’s why stringing four random words together defeats a dictionary attack.

Does the order matter? You tell me:

staplecorrecthorsebattery:
8f092d5bd2bd577682af2cdd3220bffe

Now here’s the danger: People will cheat and use four words from their favorite book or song and think they’re creating good passwords. Famous four-word combos are already in the attackers’ dictionaries. I guarantee that.

To do this right, pick up the nearest book. Turn to a random page and point at a word without looking. If one of the words fits with the others, discard it and pick another one. You want something as nonsensical as correct horse battery staple. But don’t use that one.

I can’t tell you if you picked a good four-word combination but I can tell you how to find if you picked a bad one. Plug your combination into an MD5 generator. Take the MD5 and copy and paste it into an MD5 reverser. If they can reverse it, it’s a bad password. Pick another one.

Technology doesn’t stand still. Will this still be good advice in five years? Ask me in the early 2020s.

The biggest problem with security is that we drive ourselves mad looking for A-plus security. In doing so we overlook good enough.

I work with my high-achieving clients to not overlook good enough. Four-word passwords make our lives easier and today, they’re good enough. So don’t feel guilty about using one.

So that’s how a dictionary attack works. More importantly, now you know how to defeat a dictionary attack. You can’t control how other people store your passwords, but you can make your password too hard to guess anyway. That’s security.

If you found this post informative or helpful, please share it!

One thought on “How a dictionary attack works

  • September 19, 2016 at 10:13 am
    Permalink

    Excellent overview.
    Thanks!

Comments are closed.