What is a password dictionary attack?
(Last updated on September 26, 2019)
A password dictionary attack is a brute-force hacking method used to break into a password-protected computer or server by systematically entering every word in a dictionary as a password. This attack method can also be employed as a means to find the key needed to decrypt encrypted files.
While using words in the dictionary, as well as any derivatives of those words known as leetspeak (character replacement with alphanumeric and non-alphanumeric characters) is common, the dictionary in these types of attacks can also be a collection of previously leaked passwords or key phrases.
Who is at risk?
It is estimated that around 80% of people re-use their passwords across online platforms including social media, personal banking, and even work-related systems. While this may seem like a good way to help remember your passwords for important accounts, it is actually leaving you vulnerable to a data breach.
No one understands this more than Facebook CEO, Mark Zuckerberg, who had his social media accounts compromised – including Twitter, where hackers tweeted from his account. The hackers revealed that the famous CEO’s password had been compromised in the LinkedIn data breach. His password for his LinkedIn account, dadada, was also used for his Twitter and other compromised social media accounts.
These types of attacks can have huge ramifications for your business. Dropbox suffered a breach in 2012 that stemmed from an employee using the same password for LinkedIn that they used for their corporate Dropbox account. Instead of some careless tweets from a hacker, this breach resulted in the theft of 60 million user credentials.
How to prevent a password dictionary attack?
The length of the password is an effective defense against brute-force attacks. The best strategy for creating a long password, that is also memorable, is to make it a passphrase. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up a passphrase should be meaningless together to make them less susceptible to social engineering. But a passphrase is only a good choice when it doesn’t appear on a list of leaked passwords.
Blacklisting these leaked passwords is an effective way to protect your organization from falling victim to a password dictionary attack. Cybersecurity expert Troy Hunt manages one of the largest collections of leaked passwords on his site HaveIBeenPwned where you can personally search to see if your credentials have ever been leaked.
Another critical measure to prevent a dictionary attack is to stop password reuse between different password-protected systems. User training can help educate on the importance of not reusing passwords. However, the only way to remove this possibility is to blacklist leaked passwords at password creation.