This MedLibrary.org supplementary page on Dictionary attack is provided directly from the open source Wikipedia as a service to our readers. Please see the note below on authorship of this content, as well as the Wikipedia usage guidelines. To search for other content from our encyclopedia supplement, please use the form below:
Related Sponsors
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities. In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words in a dictionary, or are simple variations that are easy to predict, such as appending a single digit to a word.
Contents |
Use
Dictionary attacks may be applied in two main situations:
- in cryptanalysis, in trying to determine the decryption key for a given piece of ciphertext;
- in computer security, in trying to circumvent an authentication mechanism for accessing a computer system by guessing passwords.
In the latter case, the effect of a dictionary attack can be greatly reduced by limiting the number of authentication attempts that can be performed each minute, and even blocking further attempts after a threshold of failed authentication attempts is reached. Generally, 6 attempts is considered sufficient to cope with mistakes made by legitimate users; beyond that, one can safely assume that the user is a malicious attacker.
However many systems store a hashed version of the password and make it available under certain circumstances, such as a challenge-response authentication exchange between two parties. If an attacker can obtain the hashed password, they can test guessed passwords rapidly, often at a rate of tens or hundreds of millions of guesses per second. [1] The rate of guessing can be sharply reduced by using a key derivation function that is computationally intensive, such as PBKDF2. Since users often choose easily guessed passwords, this has historically succeeded more than 2 times out of 10 when a reasonably large list is used. Lists of commonly selected passwords are widely available on the Internet as are dictionaries for most human languages (even those no longer used), meaning even the use of foreign words has limited value in preventing dictionary attacks.
Spammers often use a form of dictionary attack, sometimes known as a Directory Harvest Attack, for e-mail address harvesting. For example, a spammer may try sending messages to adam@example.com, barbara@example.com, carl@example.com, etc. Any addresses to which messages are delivered, as opposed to being bounced back, can be added to the spammer's list of known-valid addresses.
Clifford Stoll's book, The Cuckoo's Egg, contains an account of a dictionary attack against the encrypted passwords kept in the passwd file on Unix systems, and of the reaction to the successful attack by the man (Robert Morris) who invented the one-way encryption system used for login passwords.
Pre-computed dictionary attack
It is possible to achieve a time-space tradeoff through precomputation by encrypting and storing a list of encrypted dictionary words, sorted by the encrypted value. This requires a considerable amount of preparation time, but makes the actual attack almost instantaneous. The storage requirements for the pre-computed tables were once a major cost, but are less of an issue today due to the rapid improvements in hard drive technology. Pre-computed dictionary attack are particularly effective when a large number of passwords are to be cracked at once. A more refined approach involves the use of "rainbow tables." Salting is a technique that forces the encrypted dictionary to be recomputed for each password sought, potentially making precomputation infeasable, provided the salt is large enough.
See also
- Brute force attack
- Password cracking
- Password strength
- Rainbow table
- Key derivation function
- Key strengthening
- E-mail address harvesting
Examples
Well known examples of dictionary attack software tools:
- Crack by Alec Muffett
- John the Ripper
- L0phtCrack
- Cain
External links
- US Secret Service use a distributed dictionary attack on suspect's password protecting encryption keys
- Full dictionaries (in .txt format) in 16 languages (af, cr, cz, dk, nl, en, fi, fr, de, ir, it, la, no, pl, sp, se)
- Library with several Dictionaries
Wikipedia content modification information:
- This page was last modified on 2 November 2008, at 16:25.
Wikipedia Authorship and Review
Wikipedia content provided here is not reviewed directly by MedLibrary.org. Wikipedia content is authored by an open community of volunteers and is not produced by or in any way affiliated with MedLibrary.org.
Wikipedia Usage Guidelines
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article on "Dictionary attack".
The URL for this specific entry is:
All Wikipedia text is available under the terms of the GNU Free Documentation License. (See Copyrights for details). Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc.