Dictionary attack

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In cryptanalysis and computer security, a dictionary attack is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches.


A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words one would find in a dictionary (hence the phrase dictionary attack),[1] however there are now much larger lists available on the open Internet that contain hundreds of millions of passwords recovered from past data breaches.[2] There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. In contrast to a brute force attack, where a large proportion of the key space is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords, or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are difficult to defeat, since most common password creations techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or a manual method.

Pre-computed dictionary attack/Rainbow table attack[edit]

It is possible to achieve a time–space tradeoff by pre-computing a list of hashes of dictionary words, and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but are less of an issue today because of the low cost of disk storage. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary need be generated only once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup-times. See LM hash for an example of an authentication system compromised by such an attack.

Pre-computed dictionary attacks, or "rainbow table attacks", can be thwarted by the use of salt, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible, provided the number of possible salt values is large enough.

Dictionary attack software[edit]

See also[edit]


  1. ^ Jeff Atwood. "Dictionary Attacks 101".
  2. ^ CrackStation's list. e.g., with over 1.4 billion words.

External links[edit]