Talk:Dictionary attack

From Wikipedia, the free encyclopedia
Jump to: navigation, search


decoller le culot

There is a practice often use in non-english speaker to avoid dictionary attack; as many applications take ASCII as an input, one would simply "see" keyboard in non-english layout and type in non-english "dictionary" word on English keyboard. for example, word "love" translate in Thai would be "ความรัก", by type in Thai word with american keyboard layout, one's password would be "8;k,iyd"

Should this informaiton be included in the article? Currently the article said "Dictionaries for most human languages (even those no longer used) are easily accessible on the Internet, meaning even the use of foreign words is practically useless in preventing dictionary attacks." It leads reader to the believe that dictionary attack is always possible if user use "dictionary" word in any language.underexpose 06:05, 13 July 2006 (UTC)

Was it the German word eins or the string eins that the Enigma researchers fixed on? The word means "one" or "one thing", but the string is in many many German words. Ortolan88

The impression I received from British accounts was that the word was most important. GABaker

Yes, it was the word eins that was so very important. This is because the Enigma machine didn't have numerals on the keyboard, so all numbers had to be spelled out. Throbbing_Monster_Cock

I've just noticed the claim about eins as a crib used at BP against Enigma traffic. While every credible reference I've seen on BP/Enigma has mentioned this and so it's certainly worth mentioning, I have another thought altogether. Is this an instance of a dictionary attack at all?

At first thought (subject to revision on second thought), a dictionary attack is the repeated trying of possibilities by running through some previously prepared list (unreleated except accidentally by the choice of some user (a password, etc)) against some needed access value (eg, an encrypted password). Thus, with origninal Unix password files, the encrypted password+salt is stored in clear, and 'everyone' knows the encryption technique, so all depends (in accordance with Shannon's Maxim that the enemy knows the system) on the secrecy of the password. If that word is in some list (eg, a dictionary), then each item in the list can be tried in turn.

That's not what's happening in the eins case. Is this a dictionary attack? ww 14:37, 1 May 2004 (UTC)

I think it's a "probable word" attack, rather than a dictionary attack. — Matt 09:58, 2 May 2004 (UTC)
Matt, Agreed. It's a variant of known plaintext attack. ww 16:57, 2 May 2004 (UTC)

Pre-computed dictionary attack[edit]

Clarification needed: the sentence, 'This requires a considerable amount of preparation time, but makes the actual attack almost instantaneous,' does not agree with the earlier statement, 'the effect of a dictionary attack can be greatly reduced by limiting the number of authentication attempts that can be performed each minute, and even blocking further attempts after a threshold of failed authentication attempts is reached'.

If a 'small' number of attempts can be made in a given time interval, or a limited number of attempts can be made before further attempts are blocked, at least one of which is standard practice in most logon situations, it is not also possible for the actual attack to be 'almost instantaneous'. Some qualification is required about the circumstances in which a pre-computed dictionary attack adds any value to the attacker.

hacking passwords[edit]

Facebook morgan moses

Morganlee1185 (talk) 03:19, 8 December 2015 (UTC)


We should, at some point, link to some wordlists which can be used for security auditory purposes.-- Roc VallèsTalk|Hist - 09:03, 27 October 2006 (UTC)

Leet Speak and Passphrases[edit]

How does the use of leet speak, such as using p4s50rd for password affect dictionary attacks? I've seen assertions that it doesn't help, but no citations. Also, are passphrases harder to crack than passwords and if so, is it the size of the phrase important? JDZeff (talk) 21:23, 13 November 2015 (UTC)

Confusion over Dictionary Attack vs Wordlist Attack[edit]

It is very unfortunate that 'dictionary attack' seems to have entered the common language to describe the usage of a word list. This obviously comes from the analogy with real-world dictionaries, which are indeed word lists.

However, in the original sense (the one employed in the expression 'pre-computed dictionary', and the one relevant in the context of time-memory tradeoffs, like M. Hellman's tradeoff, or P. Oechslin's rainbow tables), the 'dictionary' metaphor does not refer to the idea of listing meaningful words, but rather to the idea of organizing a set of mappings (from hash to cleartext) in an ordered way (in this case, ordered by hash) so that it is possible to lookup an entry very quickly (O(log n)) even if the dictionary is enormous. This is a completely different concept; in terms of reach, the precomputed dictionary offers the same coverage as a traditional bruteforce attack, only trading memory usage for attack speed.

If it was possible to chose, everyone should probably use 'wordlist attack' for the first concept and 'dictionary attack' for the second. It's a shame that a staggeringly amount of online resources do not seem to understand the difference between these two techniques. (talk) 09:33, 16 June 2017 (UTC)