Codepath

Dictionary Attack

A Dictionary Attack is a Brute Force Attack which prioritizes words in a dictionary over random combinations.

A Brute Force attack will guess all possibilities in a key space. But it does not have to try them in order. The first guess could start at "a" or start at "z". Nor do guesses need to be sequential. So which order should they choose?

Users prefer to choose passwords which use common words that are easy for them to remember. A password like "redapple" is more user friendly than "5#fB$2eP". Attackers know that this is human nature so they try guessing dictionary words first when performing Brute Force Attacks. This does not change the total time required to search the full key space, but in practice it can greatly reduce the actual time required to find the correct password.

A cracking "dictionary" is not just words from a dictionary like Webster's. It includes common password like "password1234", "qwerty", and "letmein". It includes inventive spellings and letter substitutions like "L33T5P34K" and "passw0rd". (Using numbers and symbols to replace letters is common and is referred to as "Leet-speak"). Password crackers know to include substitutions in their dictionaries.

Most importantly, a cracking dictionary includes millions of passwords which have been discovered from previous hacks, usually when a large database of credentials is stolen. These could include a password which the same user provided for access to another site, or it could just include passwords which many users share based on common personal or cultural tastes. For example, the password "ncc1701" sometimes shows up in these databases and may seem random at first. But to the many fans of Star Trek, it is the registry numbers for the USS Enterprise.

Fork me on GitHub