What is a password dictionary attack and how do password dictionary attacks exploit weak passwords

Imagine using the exact same lock and key for your front door as millions of others people. That’s the reality of using weak or common passwords. In this blog, we’ll explore how weak passwords are exploited via password dictionary attacks: a brute-force hacking method used to break into a password-protected computer or server by systematically entering every word in a dictionary. 

While using words in the dictionary, as well as any derivatives of those words known as leetspeak (character replacement with alphanumeric and non-alphanumeric characters) is common, the dictionary in these types of attacks can also be a collection of previously leaked passwords or key phrases. This method can also be employed as a means to find the key needed to decrypt encrypted files.

We’ll break down the technical process, the tools involved, and the real-world implications. More importantly, we’ll share practical tips to fortify your organization’s defenses and keep your end users’ accounts secure.

What is a password dictionary attack?

A password dictionary attack is a method used by hackers to gain unauthorized access to user accounts by systematically trying a list of common passwords or words from a dictionary. The attacker uses a pre-defined list of potential passwords, which often includes commonly used words, phrases, and simple combinations.

The goal is to find a match for the user’s actual password, which can then be used to log in to the account. This type of attack is effective against weak or easily guessable passwords, which is why it’s important to use strong, unique passwords for all accounts.

Is it the same as a password spraying attack? 

A password spraying attack takes a different approach. Instead of targeting a single account with many passwords, it targets multiple accounts with a single, commonly used password. The attacker tries a few common passwords (like “123456” or “password”) across a large number of accounts. This method is designed to avoid account lockout mechanisms, which typically lock an account after a certain number of failed login attempts. By spreading the attempts across many accounts, the attacker reduces the risk of triggering these security measures.

What’s an xkcd password dictionary attack?

An “xkcd password” refers to a type of password that is composed of multiple common words strung together, inspired by a famous xkcd comic. The comic suggests that a passphrase like “correct horse battery staple” is both easy to remember and more secure than a complex, shorter password like “Tr0ub4dor&3.”

An xkcd password dictionary attack is a specific type of dictionary attack that targets these multi-word passphrases. The attack tool generates combinations of these words to create potential passphrases. For example, it might try “correct horse battery staple,” “battery horse correct staple,” and so on.

How do dictionary attacks work?

From a hacker’s perspective, the process involves several steps. First, the hacker compiles a list of potential passwords, which can be sourced from previous data breaches, common password lists, and other publicly available resources. This list is then used in a dictionary attack, where an automated tool systematically tries each password in the list against a target account or system.

The goal is to find a match that grants access. Because many users reuse passwords or choose simple, easily guessable ones, this method can be highly effective. If a password in the dictionary matches the user’s actual password, the hacker gains access, potentially leading to further breaches and security compromises.

Hybrid password attacks

Hybrid password attacks combine the efficiency of dictionary attacks with the thoroughness of brute force attacks to increase the chances of successfully cracking a password. Here’s how they work:

1. Dictionary component: The attack starts with a list of common passwords, words, and phrases, similar to a dictionary attack. This list is often compiled from known weak passwords, common words, and phrases, as well as previously leaked passwords from data breaches.

2. Brute force component: Once the dictionary attack is underway, the attacker also uses brute force techniques to try variations of the words in the dictionary. This can include:

   • Adding numbers and special characters: Appending or prepending numbers and special characters to dictionary words (e.g., “password123,” “letmein!”).
   • Capitalization variations: Trying different capitalization patterns (e.g., “Password,” “pASSWORD,” “PaSsWoRd”).
   • Common substitutions: Replacing letters with numbers or symbols (e.g., “p@ssw0rd,” “l3tme1n”).

3. Combination of words: The attacker may also try combinations of words from the dictionary, such as “password1234” or “letmein2023.”

4. Pattern recognition: The attack can include common patterns and sequences, such as “12345678” or “qwertyuiop.”

5. Custom dictionaries: Attackers may create custom dictionaries based on specific information about the target, such as their name, birthdate, or interests.

Are hashed passwords still vulnerable? 

Yes, hashed passwords can still be vulnerable to password dictionary attacks, especially if the hashing process is not robust or if the passwords themselves are weak. When a password is hashed via a hashing algorithm such as SHA256, it is transformed into a fixed-length string of characters using a cryptographic hash function. The idea is that the hash function is one-way, meaning it is computationally infeasible to reverse the hash back to the original password. However, if an attacker gains access to the hashed passwords, they can still attempt to crack them using a dictionary attack.

Why do hackers like to use password dictionaries? 

Hackers use password dictionary attacks for several reasons:

1. Ease of execution: Dictionary attacks are relatively simple to carry out. They require minimal technical expertise and can be automated using readily available tools.

2. High success rate: Many users still use common, easily guessable passwords. By using a list of the most commonly used passwords, hackers can often gain access to a significant number of accounts.

3. Speed: Automated tools can quickly cycle through a large list of passwords, making it a fast method for trying multiple guesses.

4. Low risk: Dictionary attacks are less likely to trigger security alerts compared to more complex attacks, such as brute force attacks, which involve trying every possible combination of characters.

5. Resource efficiency: Using a dictionary of common passwords is more efficient than trying every possible combination, which can be computationally expensive and time-consuming.

By using these advantages, hackers can efficiently and effectively compromise user accounts, gaining access to sensitive information, financial data, and other valuable resources.

Real-life password dictionary attack examples

1. Yahoo data breach (2013-2014)

One of the largest data breaches in history, the Yahoo breach exposed the personal information of all 3 billion user accounts. Attackers used a combination of techniques, including password dictionary attacks, to gain access to user accounts. The breach included the theft of user names, email addresses, phone numbers, and passwords.

2. LinkedIn data breach (2012)

In 2012, LinkedIn suffered a massive data breach that exposed the login credentials of over 167 million users. The attackers used a password dictionary to crack the hashed passwords, leading to widespread account compromises. This breach highlighted the importance of using strong, unique passwords and the risks of reusing passwords across multiple sites.

3. Adobe data breach (2013)

In 2013, Adobe Systems experienced a significant data breach that compromised the personal information of approximately 38 million users. The attackers used a password dictionary to crack the encrypted passwords, gaining access to user accounts. This breach also underscored the need for better password storage practices, such as using strong hashing algorithms.

Which passwords are most at risk?

Passwords that are most at risk of being cracked in a dictionary attack include:

1. Common words: Simple, everyday words that are found in breached password dictionaries, such as “password,” “123456,” “qwerty,” and “letmein.”

2. Personal information: Passwords that include easily guessable personal information, such as names, birthdates, or anniversaries.

3. Sequential or repeating characters: Passwords that use sequential characters (like “12345678”) or repeating characters (like “aaaaaa”).

4. Short passwords: Shorter passwords are generally easier to crack because they have fewer possible combinations.

5. Common patterns: Passwords that follow common patterns, such as keyboard walks like “qwerty”

6. Default passwords: Default or temporary passwords that come with devices or software, which are often left unchanged by users.

7. Previously leaked passwords: Passwords that have been exposed in previous data breaches and are now part of publicly available lists.

Password reuse

It’s estimated that around 80% of people re-use their passwords across online platforms including social media, personal banking, and even work-related systems. While this may seem like a good way to help remember your passwords for important accounts, it is actually leaving you vulnerable to a data breach.

Password reuse significantly increases the risk of dictionary attacks because it allows attackers to leverage a single compromised password to gain access to multiple accounts. When users reuse the same password across different websites and applications, a breach in one system can expose the password, which can then be used to attempt logins on other systems. 

No one understands this more than Facebook CEO, Mark Zuckerberg, who had his social media accounts compromised – including Twitter, where hackers tweeted from his account. The hackers revealed that the famous CEO’s password had been compromised in the LinkedIn data breach. His password for his LinkedIn account, dadada, was also used for his Twitter and other compromised social media accounts.

How can organizations prevent password dictionary attacks?

Organizations can take several proactive and reactive measures to protect against password dictionary attacks. Here are some effective strategies:

1. Enforce strong passwords:

   • The length of the password is an effective defense against brute-force attacks. The best strategy for creating a long password, that is also memorable, is to make it a passphrase. A passphrase is a sentence or phrase, with or without spaces, typically more than 20 characters longer. The words making up a passphrase should be meaningless together to make them less susceptible to social engineering. But a passphrase is only a good choice when it doesn’t appear on a list of leaked passwords.

2. Password managers:

   • Encourage the use of password managers to help users generate and store complex, unique passwords for different accounts.

3. Multi-factor authentication (MFA):

   • Implement MFA to add an extra layer of security. Even if a password is compromised, the attacker would need the second factor (e.g., a code sent to a mobile device) to gain access.

4. Custom password exclusion lists:

   • Maintain and enforce your own password dictionary of common, weak, and previously breached passwords to prevent their use. These can be customized to include words specific to your own industry and organization – there’s a guide here on how to create a custom dictionary with ChatGPT.  

5. User education:

   • Provide regular training and awareness programs to educate employees about the importance of strong passwords and the risks of weak passwords. User training can help educate on the importance of not reusing passwords. However, the only way to remove this possibility is to block leaked passwords at password creation.

Stop users choosing weak and compromised passwords

Blocking compromised passwords is the most effective way to protect your organization from falling victim to a password dictionary attack. Specops Password Policy continuously scans your Active Directory against our growing database of over four billion unique compromised passwords. If an end user is found to be using a breached password that could appear in a hacker’s password dictionary, they’re alerted and instructed to change passwords. Try Specops Password Policy for free.