A common dictionary attack uses a list of words to guess the passwords for user accounts. It’s a simple tactic to understand, but much harder to mitigate.
It all stems back to bad password choices
The Oxford English Dictionary defines a dictionary attack as “an attempt to gain illicit access to a computer system by using an extensive set of words to generate potential passwords.”
People are predictable when it comes to the passwords they pick. They want short passwords consisting of common words or phrases. Dictionary words.
In most dictionary attacks, frequently used words are prioritized. And simple variants using numbers or symbols, such as “p@ssw0rd”, are easily guessed by the attack mechanism as well.
Never be predictable
Weak passwords are the Achilles heel for any system. Site managers MUST analyze the passwords that members sign up with and identify any that pose a risk.
For example, any passwords leaked in a previous data breach.
And it doesn’t matter who a breached password belongs too. If anybody uses it to sign in or register on your site, that account is instantly at risk.
Users should never be allowed to select dictionary words as passwords that fit into the context of the site. For example, with an app like Instagram, passwords like “Instagram,” “amillionhashtags” or “ph0tography” are prime targets.
Unbelievably, a vast number of administrative accounts have the username “admin” or “administrator.” And this could well be the case for passwords too.
Easy-to-guess usernames on accounts like these are very valuable to hackers since they have administrative privileges. Hackers can cause much more damage using an administrative account than with a regular user account.
Online or offline, nowhere is safe
There are two types of dictionary attacks, online and offline.
In an online attack, a hacker uses the same interface as a regular user to try to gain access to accounts. All the attacker needs is a curated list of likely passwords.
To perform an offline dictionary attack, hackers steal the password storage file from the target system. This is typically the Security Account Manager (SAM) file on Windows and the etc shadow file on Linux.
Hackers steal poorly protected password storage files in several ways. One method is to hack an administrative account with permission to access it.
But why would an attacker go through all this trouble when they can attack the system online? Because working offline eliminates all network related limitations to password guessing.
Unlike online dictionary attacks, no traces are left behind after each login attempt. And offline dictionary attacks can work a lot faster and yield better results.
Even a password that is strong enough to combat an online dictionary attack might not be able to withstand its offline counterpart.