Defending Against Password Dictionary Attacks
Protect your networks and platforms from dictionary attacks that threaten security Understand the variations of password-guessing attacks and learn how to safeguard against brute-force attacks
Key Takeaways
Dictionary attacks are a common type of cyberattack that use long lists of words and software to try and match a password to gain access to an account.
Brute-force attacks, which involve testing random character combinations, are less efficient and more time-consuming when compared to dictionary attacks. To safeguard against dictionary attacks, it is crucial to use strong and exclusive passwords, enable multi-factor authentication, and contemplate the utilization of a password manager.
Dictionary attacks pose a serious threat to the security of your networks and platforms as they aim to breach user accounts by creating passwords that match. Discover the inner workings of these attacks and gain insight into effective strategies to counter them. This article on Cybersecurity Awareness Week is proudly sponsored by Incogni.
What is a Dictionary Attack?
Dictionary attacks encompass a range of cyberattacks that adopt a shared technique. These attacks rely on extensive lists, which can sometimes even consist of entire databases, alongside specialized software. This software sequentially scans each word in the list with the purpose of trying it as the password for the targeted account. Should any word from the list match the actual password, the account becomes compromised.
These attacks are different from the less sophisticated brute-force attacks. Unlike brute-force attacks, which rely on random combinations of letters and characters to stumble upon a password by chance, these attacks are more efficient. Brute-force attacks are time-consuming and require a lot of computational power.
As you increase the number of characters in your password, the effort required to crack it increases significantly. An eight-character password has exponentially more combinations than a five-character password. While there is no guarantee that a brute-force attack will ever be successful, a dictionary attack will eventually succeed if one of the entries in the list matches your password.
Most corporate networks enforce automatic account lock-outs after a certain number of failed access attempts. However, threat actors often target corporate websites, which usually have weaker access controls. If they manage to access the website, they can use the same credentials to try and gain access to the corporate network. If the user has reused the same password, the threat actors can infiltrate the corporate network. The website or portal is typically not the primary target, but rather a stepping stone towards the threat actor's ultimate goal - accessing the corporate network.
By gaining access to the website, threat actors can inject malicious code that monitors login attempts and records user IDs and passwords. This information is either sent to the threat actors or logged until they return to collect it.
Not Just Words in a File
Initially, dictionary attacks were strictly based on the use of words found in a dictionary. Consequently, the advice to refrain from employing dictionary words was emphasized as a crucial aspect of selecting a robust password.
Choosing a dictionary word and adding a digit to it in order to avoid matching a word in the dictionary is also an ineffective strategy. The threat actors who create dictionary attack software are aware of this tactic and have developed a new technique. This technique involves trying each word from the list multiple times, adding digits to the end of the word with each attempt. This is because people often use a word and sequentially append digits such as 1, 2, and so on when they need to change their password.
In addition, threat actors sometimes incorporate two or four-digit numbers that represent significant years, such as birthdays, anniversaries, or memorable events. Furthermore, considering that people often use the names of their children or significant others as passwords, the dictionary lists have been expanded to include both male and female names.
The software has further developed, incorporating substitution schemes where numbers (such as 1 for "i", 3 for "e", 5 for "s", etc.) replace letters in passwords. This does not significantly increase the complexity of your password as the software is aware of these conventions and can decipher such combinations. Presently, these techniques continue to be employed, alongside additional lists that exclude commonly used dictionary words, consisting of genuine passwords.
Where the Lists of Passwords Come From
The widely recognized website Have I Been Pwned houses an extensive database comprising more than 10 billion compromised accounts. Whenever a data breach occurs, the administrators of the site make concerted efforts to procure the compromised data. Upon successfully acquiring it, they promptly incorporate it into their existing databases.
You have the freedom to search their database of email addresses. If your email address is discovered in the database, you will be informed about the data breach that exposed your information. For instance, I discovered one of my previous email addresses in the Have I Been Pwned database. It was exposed during a breach of the LinkedIn website in 2016. Consequently, my password for that site would have also been compromised. However, since all of my passwords are unique, all I needed to do was update the password for that particular site.
Have I Been Pwned maintains a separate database for passwords. On their site, it is not possible to correlate email addresses with passwords, for obvious reasons. If you search for your password and come across it in the list, it does not necessarily indicate that the password originated from one of your accounts. Due to the existence of 10 billion breached accounts, there are bound to be duplicate entries. The intriguing aspect is that you will be informed about the popularity of that password. You may have assumed that your passwords were unique, but that is likely not the case.
But regardless of whether the password in the database originated from one of your accounts or not, if it is found on the Have I Been Pwned website, it will be present in password lists utilized by the attack software of threat actors. The complexity or secrecy of your password does not matter. If it is included in these password lists, it cannot be deemed trustworthy - therefore, it is crucial to change it immediately.
Variations of Password-Guessing Attacks
Even with simple dictionary attacks, attackers can conduct basic research to streamline their efforts.
By signing up or partially signing up on the target site, they can access the password complexity rules. For instance, if the minimum password length is eight characters, the attacker can configure their software to start with eight-character strings. Instead of wasting time on shorter strings (four, five, six, and seven characters), they can exclude them from their software's options if disallowed characters are present.
List-based attacks refer to various types of attacks that exploit a predefined list of passwords or combinations. However, it is important to note that a traditional brute-force attack does not fall under the category of list-based attacks. In a traditional brute-force attack, a specifically designed software generates a series of progressively longer strings of letters, numbers, punctuation, and symbols. Each generated string is then attempted as a password on the targeted account. If the generated string matches the actual password, the account is successfully compromised.
Dictionary Attack: A specialized software program is used to systematically test each word from a dictionary word list as the password for the targeted account. This method allows for modifications to be made to the dictionary words, such as adding or substituting digits.
Password Look-Up Attack: This attack method is comparable to a dictionary attack, but instead of using dictionary words, it leverages a massive collection of real passwords obtained from data breaches. Automated software scans through the list and tests each password one by one.
Intelligent Password Lookup Attack: In addition to attempting the "naked" password, this attack tests various transformations of each password, replicating commonly employed password tricks like substituting vowels with digits.
API Attack: In contrast to attempting to crack a user's account, these attacks employ software to create sequences of characters with the aim of finding a match with a user's key for an Application Programming Interface. If successful in gaining access to the API, the attackers can potentially exploit it to extract sensitive information or intellectual property.
A Word About Passwords
To ensure the security of your accounts, it is crucial to have strong and unique passwords that cannot be easily guessed or linked to you, such as your children's names. One effective approach is to use passphrases instead of passwords. A powerful password template involves combining three unrelated words with some punctuation. Surprisingly, passphrases often incorporate dictionary words, even though we have always been advised against using them in passwords. However, this combination poses a significant challenge for attackers trying to crack the password using specialized software.
We can use the How Secure Is my Password website to test the strength of our passwords.
cloudsavvyit: Estimated time to crack: three weeks.
cl0uds4vvy1t: Estimated time to crack: three years.
thirty.feather.girder: Estimated time to crack: 41 quadrillion years!
Please adhere to the golden rule: passwords should always be used exclusively for one system or website and never be reused. If you utilize the same password across multiple systems and one of them is compromised, all the other sites and systems where that password was used are in jeopardy. Remember, even if your password is incredibly strong and difficult to crack, it becomes irrelevant if it is already listed in the threat actors' password catalogue. If you struggle to remember numerous passwords, consider utilizing a password manager.
How to Protect Against Brute-Force Attacks
Implementing a layered defensive strategy is crucial. While no individual defensive measure can guarantee complete immunity against dictionary attacks, you can significantly decrease your vulnerability to such attacks by adopting multiple complementary measures.
Please ensure that multi-factor authentication is enabled whenever feasible. This adds an additional layer of security by involving a physical item possessed by the user, such as a cell phone, USB key, or fob. The authentication process incorporates data sent to a phone application or stored in the fob or USB key. Relying solely on a user ID and password is inadequate for system access.
Always utilize strong and unique passwords or passphrases while securely storing them in encrypted form.
Develop and implement a comprehensive password policy that regulates the usage, safeguarding, and appropriate creation of passwords. Ensure its mandatory compliance by communicating and enforcing it among all employees.
Enforce a strict limit on the number of login attempts. Utilize either an account lockout mechanism after a specified number of unsuccessful attempts or a combination of account lockout and mandatory password change.
Consider implementing captchas or other forms of image-based authentication as an additional security measure. These measures are specifically designed to deter bots and password-cracking software, as they require human interpretation of the displayed images.
Another option to enhance password security is to utilize a password manager. This tool can generate highly complex passwords on your behalf and conveniently store them, associating each password with the corresponding account. By adopting a password manager, you can effortlessly maintain robust and distinct passwords for all your accounts, ensuring optimal security.
